From The Australian. Here's what's on the front. I'm Kristan Amiot. It's Monday, May nineteen, twenty twenty five. Prime Minister Anthony Alberizi met with Ukrainian President Voladimir Zelenski on the sidelines of Pope Leo's inauguration mass in Rome on Sunday. The pair discussed the incarceration of Australian man Oscar Jenkins, who was sentenced to thirteen years in a Russian prison after being caught fighting on the front lines for Ukraine. To net zero or not to net zero? That's the question
looming over new Liberal Party leader Susan Lay. She's under pressure from some MPs not to support a twenty to fifty emissions policy that they say demands a blank check. That exclusive story is live right now at the Australian dot Com dot AU. Hackers have harvested potentially millions of dollars from unsuspecting taxpayers by breaking into their ATO accounts
and submitting bogus tax returns. The Australian Taxation Office says its systems are safe from cyber threats, but The Australian's Paul Garvey believes there's evidence to suggest a breach like this has been a long time coming. When Kate Quinn's accountant logged in to complete her tax return at the end of the last financial year, she made a shocking discovery her tax account had been hacked and her tax return was gone paid out to a mystery bank account.
So they hacked in, They unticked notify me or notify my tax agent, change the bank account details. He said, it probably takes all of ten to fifteen seconds, and the money's gone, and the case is closed, and no one's notified, and then the bank account is closed. And I just thought this is unbelievable that it's so easy.
And the thing is, Kate's predicament isn't unique.
I reckon it's the chip of the eyes Berg. Well, I think it's happened to thousands.
The picture that's emerging is that hackers have been able to obtain the personal details of a whole lot of Australian taxpayers and their tax file numbers and basically use that data to find their way into the MyGov system and then they'll submit these fraudulent tax returns.
Paul Garvey is a senior reporter with the Australian.
It seems as though about eight thousand dollars is the magic number that these hackers go after, and that it's large enough to make it worth their while, but not so large that triggers the automatic red flags within the ato's own system. The other scary thing here is that the hacks, by and large seem to be found almost by accident, when individuals or their accountants go to lodge that year's tax return and find hang on this tax returns already been lodged. So that's when the alarm bells ring.
And so it's really quite concerning that these things are happening at this sort of scale and seemingly off the radar.
The ATO uses multi factor authentication to protect users online accounts. That's where you plug in a unique code received via email or text message before you can log in, and voice prints to help identify us. When we pick up the phone and call thank you.
For pulling the Australian Taxation Office Individual Info Line. We've introduced a highly secure and faster way to access your information. Your call will be recorded to improve our services and to create your unique voice print, which may be used to verify your identity.
But the multi factor authentication wasn't triggered when Kate's account was compromised, and nobody seems to know how the hackers are getting around it.
These are the processes that they're annoying when we have to go through them in our day to day lives, but they're there for a very good reason, and that is to prevent this sort of thing happening. And it seems as though that system, for whatever reason, is just breaking down inside the ato's processes here, that those two factor authentications aren't triggering at the right times, aren't triggering for the right sort of matters, and really open the
door of these kind of incidents. And it's something that's been identified previously in investigations into the ato's online security systems. And if these cases of Kate and other people I've spoken to another accounts that I've read are accurate, then there seems to be a lingering issue in the way these things are managed.
And so, Paul, what's the ATO doing to recover that money that's been fraudulently paid out to the hackers.
It would be great to get some more information from the ATO on this, because it would seem to me from the outside like it should be quite straightforward, right. This money's being sent to a bank account, and we have all these sorts of know your customer laws in Australia, all these money laundering laws in Australia where banks are supposed to be able to know just who is actually
holding these bank accounts. Yet there's been no clear explanation to me that those requirements are actually being effective here identifying who is actually receiving this money and are they getting it back from them. It's a big issue for the at cloring this back and we would love to know how successful they're being and if they're not being successful, what needs to change to get that money back because
it belongs to all of us. It's tax payer money at the end of the day, and we need to get these moneies back.
Over a series of phone calls, Kate Quinn, who works in the not for profit sector, was told she could face a long wait to see the situation resolved.
I was told would be waiting up to a year while they investigate. And I said, no, this is not right. I pay my taxes, this is my money. And I said, I don't see why you can't honor this, and they said, yeah, it doesn't work like that. You'll be waiting quite a long time. She kept on them, so I gave it a few months and I called back just to annoy them, and they all said it's under investigation for yours and a ton of others.
Kate did eventually receive her tax refund, but not everyone who was hacked has seen the same outcome.
Looking at the ato's own community page where people can go up there and post questions for the ATO, you can see there's multiple people all saying the same sort of thing, and you can imagine the panic as well for individuals when they find this out right, because a lot of people are terrified that they will be obliged to pay back that fraudulent return themselves. There's the uncertainty that comes with that. And also for a lot of people, that tax return money can be a really important piece
of financial relief. Right these are tough financial times, cost a living crisis. That couple of grand in your pocket on the back of a tax return can be the thing that really keeps a lot of families afloat. And so if there's fraud hanging over that account, can they actually go ahead and claim their legitimate entitlement. So it's a scary process and it's not a quick process to resolve either, So that's a lot of sleepless nights for a lot of people when wanted to get this resolved.
So how many people are we talking here?
I did ask them that direct question, and the response that came back with didn't address that. I can see through other reports that there's certainly many instances, at least dozens. But interestingly, talking to people like Kate who have been through this process, when they're talking over the phone to ato people, they can start to gauge from the conversations to how big an issue this is. And Kate's come away convinced that this is a matter of four thousands
of people. And when you think of the sheer number of taxpayers, you only need a tiny sliver of them to be compromised to get some pretty chunky numbers pretty fast.
And in some cases the hackers are actually putting in not just the most recent years refund but also prior years as well, So going back a second and a third time to make more and more claims, you're talking about twenty thousand dollars plus for each of these individuals and that's money that I guess belongs to each and every one of us, right it's paid out by the Tax Office incorrectly. We're all on the hook for that
at the end of the day. So it really is a problem that really everyone should be concerned about.
Coming up. Why this storm's been brewing for a while. When Kate Quinn flicked on the TV about a month ago, she caught the end of a news bulletin about a major.
Hack and I thought, Ah, this is it. I knew this would happen, but it was people super being hacked into.
Several Australian superannuation funds have been targeted by cyber criminals. It's caused panic and frustration for thousands of members who've been unable to check whether their nest egg has been impacted.
The question now is how has a hack of the Australian Tax Office managed to fly under the radar for so long. Here's Paul Garvey diving into this.
I can see that this has been a brewing issue for the ATO for a long time now, well over a decade that there's been that these weaknesses have emerged. So as taxes become more and more in the online sphere, moving away from those old paper tax returns, if you're old enough to remember what they were like. Each step of the way, there's been I guess, holes in the system, holes in the Swiss Cheese that have allowed these sort of things to happen at varying scale along the way.
It's almost become perhaps part of the furniture of tax in Australia. The other thing is a lot of hacking incidents we hear about. There'll be the little old lady who's had a bank accounts cleaned out, the retiree who's watched their super fun disappear. These direct hip pocket hits, brutally cruel attacks on individuals that cripples them immediately and tangibly.
Where is this We're talking about tax returns that people may have even forgotten to lodge themselves, didn't even know where they're or that they had lodged previously, and which have since been amended. The victim as such isn't being the one fleeced here erectly, so it doesn't have that same kind of bite in that sense if you follow what I'm saying, and look, you could also probably draw a line to think that maybe there's an element of
self preservation here from the ATO. I mean, it looks like, talking to people like Kate and to accountants out there, that the ATO probably hasn't covered itself in glory in ensuring that its systems are as robust as we might expect from an agency as well respected and well resourced as the ATO. They might not be exactly ecstatic to be putting up in lights that some shortcomings in the system may have at best contributed to these outcomes here.
So there's a few reasons I think why it hasn't necessarily blown up as large as it perhaps deserves to be.
Labor of course, went to the election promising instant tax refunds of up to one thousand dollars for eligible Australians. That's not due to come into effect until the middle of twenty twenty seven, at the end of the twenty six twenty seven financial year. But does a breach of this magnitude have implications for that plan?
It most definitely should, because one thing that we've seen consistently over the years is that for every step taken in terms of security or in every initiative taken by a state or federal government in trying to provide some form of tax relief. There there are a whole bunch of hackers who are pouncing on that and trying to stay a few steps ahead of where regulators lawmakers are
in dealing with this sort of thing. So I would have thought that this very clearly should remind the federal government of what can happen, of the needs for these sorts of precautions, and to be constantly thinking where are the vulnerabilities, how to prevent this from being illegally exploited. Like we've said, this has been going on in some
shape or form for many years now. That's certainly not a problem that's specific to one side of government over another, but it most certainly will undermine that public confidence that we have in this. So that's certainly something for the atl itself and also for lawmakers to firmly keep in mind.
Paul Garvey is a senior reporter with The Australian. The Australian Tax Offics told Paul its systems are secure, resilient and have not been compromised. You can read his report right now at The Australian dot com dot au