The federal government’s social services agency Services Australia has seen a spike in account breaches this year as criminals use impersonation, social engineering, and leaked customer details from major data breaches to access accounts, newly released data shows.
The data, obtained by a user named CR through the freedom of information website Right to Know and first reported by The Guardian, showed Services Australia reported 43 data breaches involving impersonation or social engineering between the start of 2024 and 5 July.
The number is a 330 per cent increase from the 10 reports of similar breaches Services Australia reported across all of 2023.
Many of the reported social engineering attacks were said to have affected numerous people, according to the data, but the exact number of victims was unclear.
Social engineering often involves scammers pretending to be someone else or manipulating people and gaining their trust to access information or accounts.
Services Australia reported only one such report of a breach involving social engineering each year from 2020 to 2022.
The agency also reported customer accounts had been accessed twice in 2023 and twice in 2022 using only stolen or compromised login credentials, such as passwords.
Services Australia general manager Hank Jongen said most of the data breaches reported by the agency were due to previously compromised customer data.
“The vast majority are the result of customer information becoming compromised through phishing scams, previous third-party data breaches occurring in Australia and overseas, as well as from small and large scale identity theft,” he told Information Age.
“If anyone is concerned the information held in their online account has been compromised, they should sign in to their account and check for any activity they don’t recognise.
“This includes confirming that personal details and contact information are correct.”
Jongen said Services Australia had notified more than 14,000 people that personal information held in their online accounts had potentially been accessed without permission in the 2023-24 financial year.
“We manage 10 million customer interactions on any given week, 90 per cent of which are digital,” he said.
“We understand how important it is to have robust measures in place to combat fraud and identity theft.”
Anyone who suspected that someone else had accessed their account could call the Services Australia Scams and Identity Theft Helpdesk on 1800 941 126, Jongen said.
myGov security improvements promised
Services Australia agreed to improve the security of its social services platform myGov in July after an investigation by the Commonwealth Ombudsman found its security was “not adequate” and some staff had not asked callers the required security questions.
In one example highlighted by the ombudsman, a victim whose stolen identity information was used to meet myGov’s Proof of Record Ownership requirements had multiple sensitive accounts compromised.
The victim’s Centrelink account was allegedly linked to a different myGov account than their own and used to change their personal details to make a fraudulent claim, before their Medicare record was also breached over the phone and their address was changed.
A Commonwealth Ombudsman's report found some issues in Services Australia's myGov security. Photo: Tom Williams / Information Age
“The customer told us the fraudsters then used their Medicare details to access his ATO [Australian Taxation Office] record, submit fraudulent tax returns and change the bank account details recorded on their ATO record to intercept the resulting refunds,” the ombudsman said.
Services Australia accepted four recommendations and two suggestions for myGov improvements from the ombudsman’s report, including implementing new processes and security controls.
An auditor-general's report released in June also found Services Australia was unprepared for “a significant or reportable cyber security incident” and was a target for criminals given the sensitive data it handled.
The agency introduced passkeys to myGov as a more secure alternative to passwords in July and said it also offered users two-factor authentication.
Australia reports spike in data breaches
The nation’s privacy watchdog, the Office of the Australian Information Commissioner (OAIC), reported earlier this month that it had received the highest number of data breach notifications in more than three years.
The OAIC was notified of 527 data breaches between January and June 2024, after a 19 per cent increase in the first half of 2023 and a further nine per cent increase in the second half of that year.
Privacy commissioner Carly Kind said the increase in breaches was evidence of “significant threats” to Australians’ privacy, which could include everything from scams to identity theft and physical harm.
Millions of Australians have had their personal information leaked in data breaches in recent years, including major incidents involving health insurance provider Medibank, telecommunications giant Optus, and defunct electronic prescriptions company MediSecure.
Australia had the ninth highest number of leaked accounts in the world per 1,000 residents in the second quarter of 2024, according to a July report by cyber security company Surfshark.
The nation experienced 54 account leaks per 1,000 residents, the company said, behind countries with the highest breach density such as the United States (344 per 1,000 residents), Russia (174), and El Salvador (142).
Surfshark researcher Kasparas Jucaitis said that while there were fewer breaches globally in the second quarter of 2024 compared with the first quarter, the numbers were “significantly higher” than in the same period in 2023.
