Skip to main content Skip to side navigation
    0 results available.
      0 results available.
      language assistant menu topper outer language assistant menu topper inner

      Read documents in your language

      If you need more translations, please contact us via: 1300 362 072 or ombudsman@ombudsman.gov.au

      Quick Exit (ESC)

      Keeping myGov secure

      What happened?

      In 2022, the Office became aware of escalating media reports about tax fraud committed by unauthorised third parties linking genuine taxpayer records to fake myGov accounts. We also received and investigated complaints about unauthorised linking in Centrelink and Medicare accounts.

      Unauthorised linking is where a genuine myGov customer's member service account is linked to a fake myGov account without the customer's knowledge or authorisation.

      What did we do?

      We initiated an investigation to examine what Services Australia, as the myGov administrator, was doing to improve security and to understand why there was an apparent lack of coordination across Centrelink and Medicare when helping people impacted by identity theft and myGov fraud.

      What we found

      Our investigation found:

      • myGov’s current security controls do not adequately protect people from unauthorised linking where identity theft has occurred
      • the preventative control for unauthorised linking is each individual member service’s ‘proof of record ownership’ (PORO) processes
      • variability in the standard of proof required to satisfy PORO processes across member services presents shared risk for myGov participants
      • there are no additional security checks to ensure high-risk transactions are authorised by the genuine customer
      • there is an apparent lack of formal processes for managing shared risks across the myGov ecosystem
      • Services Australia’s ability to provide a coordinated response to customers reporting data breaches and fraud may be limited by its enabling legislation.

      Our recommendations

      In our report Keeping myGov secure, we made 4 recommendations and 2 suggestions aimed at improving security controls, management of shared risks and how Services Australia responds to individual reports of fraud and breaches.
      We understand that Services Australia is now consulting with relevant agencies to consider future policy settings for myGov, along with changes to address the issues with the platform identified in our report.