The Australian Taxation Office (ATO) is handling 4.7 million cyber attacks per month as cyber criminal fraudsters tap dark-web databases and ordinary Australians follow “bizarre” social-media guidance to defraud the agency, outgoing commissioner Chris Jordan has revealed.

“I’ve been asked many times ‘what keeps you awake at night?’,” Jordan told the National Press Club in a speech days before the end of his tenure, “and my response has always been ‘cyber security’.”

That includes not only direct threats to the nation’s revenue collection agency, but challenges to procedural integrity as cyber criminals use stolen data to commit fraud in other peoples’ names – with the agency recently revealing that over $635 million was “illegally accessed” from self-managed super funds during 2020 and 2021.

“What is of concern to me now is the industrialisation of identity theft through large scale cyber breaches,” Jordan said, noting that Medibank, Optus, and other breaches had created an “enormous pool of information that can be used to create an identity of someone.”

In one recent incident, cyber criminals used bots to create 30,000 new superannuation funds “in a very short period of time, using information from the dark web that they’ve received from these big data breaches.”

“Criminals couldn’t fill out the forms to create the new super funds quickly enough,” Jordan explained, “so they devised the bot to do that work for them. This is scary stuff, and things that we really have to keep on top of, and really have to keep investing in.”

Chris Jordan made a number of changes at the ATO during his tenure. Photo: supplied

Also problematic were incidents such as the recent investigation of 150 ATO staff and contractors – 12 of whom were ultimately terminated, including three ATO staff now facing “compliance action” for involvement in what Jordan called “bizarre” revelations that over 57,000 Australians had followed TikTok videos encouraging them to register fake businesses, then illegally claim more than $2 billion in fraudulent GST refunds.

“Our systems were never designed for people to commit fraud at such scale, in such a short period, in their own names,” Jordan said.

“These were real people with real addresses, real tax file numbers, real bank accounts that just went off on social media. It really shocked us that the community could have such an appetite to commit fraud and take money from government in that way.”

Unlike comparable overseas bodies, Jordan said the fact that the ATO lacks its own investigative powers – forcing it to rely on police support for activities like gathering evidence – had complicated fraud investigations and, at a recent overseas meeting with its peers, created the “rather absurd situation” in which the ATO had to bring an Australian Criminal Intelligence Commission representative to sit in on its behalf “because we didn’t have these powers.”

Given the fallout from Australia’s Robodebt disaster and the UK Post Office’s self-enforcement powers – which is currently playing out in the headlines – the appetite for granting government bodies such investigative powers may be limited, although Jordan said it “will be something into the future to disrupt the foreign facilitators of criminal activities.”

A decade of reinvention, and counting

Over the past decade, Jordan oversaw a digital transformation that, he said, had fundamentally reinvented a “rigid and isolated” ATO – which was focused more on catching tax cheats than proactively helping people comply with taxation obligations.

A onetime police officer who transitioned to tax policy at KPMG and then the ATO, Jordan inherited an agency weighed down by “outdated and redundant” policies that had created an adversarial corporate culture built on “overly bureaucratic processes, which I think negatively impacted the way they dealt with our clients.”

Among his first acts as commissioner was removing “3000 pages of pointless instructions” advising ATO staff on everything from how to drive in bushfires to how to apply sunscreen – a move that, he said, “marked the beginning of our reinvention journey.”

“My main message to our people was to be part of the solution, not part of the problem.”

The ensuing years saw heavy investment in digital tools that had enabled “landmark victories” such as the Tax Avoidance Taskforce’s success in clawing back around $30 billion from tax-avoiding multinationals including the likes of Apple, Facebook, Google, and Microsoft.

Digitisation of the agency had also streamlined tax lodgement, with its myTax service used by 5.5 million people last year and employee and taxpayer satisfaction north of 80 per cent – making the ATO “the most trusted federal agency in the Commonwealth,” Jordan said.

Extensive back-end data sharing between the ATO and other agencies had improved compliance monitoring – and reduced its cost of collection from $0.91 per $100 collected in 2013, to just $0.54 today.

“Our tax performance program has helped us move away from a ‘gotcha’ mentality to a preventative mindset,” Jordan said, “shifting our focus away from audit yields to improving tax performance.”

Ongoing investments in real-time tax reporting and payment information, which Jordan said will see the ATO “fully digitalised by 2030,” will see data “flow from taxpayers’ natural systems to ours, without any extra effort or intervention from them.”

“We’ve successfully charted a massive program of transformation,” he said. “We did it all in a deliberate and considered way, and we did it all ourselves – without paying millions to consultants…. Key to all this has been the digital revolution within the ATO.”