Taxpayer records exposed due to a data breach

November 19, 2015 |

Data breaches are depressingly regular and sometimes, rarely, unavoidable.  Hence the need to have a response plan.  In the article Taxpayer records exposed by serious ATO, myGov security flaw the problem is not so much the breach, which was bad enough but the woeful response by government when the defect is detected.  The phenomenam of extreme suspicion if not hostility by Government or big organisation to white hat hackers and those IT individuals who pick flaws in security has been longstanding and deeply ingrained into the culture.  It can, and often does, translate into treating the bringer of bad news as the enemy.  The case of Joshua Rogers is a case in point.  He exposes a flaw in the Public Transport of Victoria website, which is reported on 8 January 2014 with Melbourne schoolboy exposes security flaw in Public Transport Victoria’s website and Schoolboy hacks Public Transport Victoria website.  The flaw was not a minor glitch. It enabled access to names, addresses, home and mobile phone numbers, email addresses, dates of birth and nine digit extracts of credit card numbers of the Metlink’s on line store.  A treasure trove of personal information that could be used for monetary gain.  And the PTV reports Rogers to the police as reported in Hacked site reports boy to police.  As the article makes clear there has probably been a breach of the law in that the site was illegally accessed.  That raises public policy issues.  Agencies can’t be seen to be allowing breaches of the law.  And often the white hat hackers could learn to improve their communications skills when dealing with those outside the world of zeros and ones.  But reacting, out of embarrassment, by getting the police involved and pressing charges is not especially sensible either.

The ATO breach article provides:

Australians’ private tax records were left unsecured thanks to a serious flaw in how the tax office’s online services connect with myGov, in the latest of a series of security bungles related to the federal government’s online services.

Experts have raised concerns over the handling of IT security issues by the Australian Taxation Office and the Department of Human Services, which runs the overarching service portal myGov, after a taxpayer who tried to report the issue claimed he was hung up on twice by the agencies’ call centre staff.
myGov is a portal which provides single sign-on (SSO) to access multiple services from linked government agencies.

myGov is a portal which provides single sign-on (SSO) to access multiple services from linked government agencies. Photo: YouTube

Sydney IT professional JP Liew recently discovered the flaw when logging into myGov to access his online tax records, only to discover he was looking at his wife’s.

In a video obtained exclusively by Fairfax Media, Liew demonstrated how downloading a PDF letter from the tax office by clicking on a link within the myGov mailbox creates a “cookie” which logs the user into (In this case, cookies are used to authenticate the “single sign-on” process, or SSO, whereby the user only has to login once with myGov to access multiple linked services, such as tax, Medicare and Centrelink.)

Because clicking on the PDF link didn’t actually open a browser page at and therefore a page was never closed, the cookie did not expire, meaning the next user who logged in to myGov and clicked on a link to saw the previous user’s records.
Security researcher Nik Cubrilovic found gaping holes in the myGov website more than a year ago.

Security researcher Nik Cubrilovic found gaping holes in the myGov website more than a year ago. Photo: Andrew Meares

“I’ve just spent about an hour on the phone to four myGov technical support people to explain to them that there is a serious bug on the myGov website that will expose another person’s ATO information if they share the same computer and browser,” Mr Liew said in his video.

“This is very common [to share computers] in workplaces and public libraries however none of them seems to be able to understand what I was trying to say.”

The ATO said this week it had fixed the problem, however Mr Liew removed the video from YouTube after the department raised security concerns.

DHS has been asked to clarify whether the flaw was present across other government services such as Medicare or Centrelink. Security analyst Ty Miller said this was a “strong possibility”. Another analyst, CQR Security founder Phil Kernick, also said it was possible.

An ATO spokesperson did not directly respond when asked how long the flaw had been active for.

However, they said the ATO was aware of “very limited circumstances” where the flaw could have occurred: if the first user didn’t sign out of the ATO website (or the session didn’t automatically time out) before they logged out of myGov, and if both such users were using the same device and browser.

“This issue does not occur on all types of devices,” the spokesperson said.

“We continue to investigate to ensure no other errors are occurring.”

A DHS spokesperson said there was “no flaw” in myGov and that the problem lay with the ATO.

Mr Kernick also said the responsibility to delete cookies lay with the services plugging into myGov, and not with myGov itself.
Broader problems

But security researcher Nik Cubrilovic said the cause of the vulnerability was rooted in the architecture of myGov and its SSO process, and the “very basics” of authenticating a user.

“This is an architectural flaw—there are better methods for having SSO where logging out once at myGov would also log you out of any other site,” Mr Cubrilovic said.

“I’m … not comfortable with the blame shifting [from DHS to ATO]. It suggests that the culture that led to this bug and previous bugs is still prevalent at the department and that more issues are a matter of when rather than if.”

The ATO spokesperson said the department “worked with DHS to design its online services in the context of the myGov website”.

Mr Cubrilovic last year revealed a separate security flaw with myGov, also relating to cookies, which allowed user accounts to be hijacked.

In a document sent to DHS and seen by Fairfax Media, he outlined no less than 12 security issues with the myGov portal and gave recommendations as to how they could be fixed.

One-and-a-half years later Mr Cubrilovic said half of the recommendations had still not been implemented.

“In my original report there were recommendations to shorten the time that cookies are valid, to change the cookie type so that it couldn’t be stolen and to unset them properly, but none of these were taken up,” he said.

The flaw uncovered this week could also be replicated remotely—i.e. not necessarily only affecting people using the same computer and browser—if someone gained access to the user’s cookie, he said.

Mr Cubrilovic said he was “not 100 per cent confident” in the way the ATO had implemented a fix for the new bug, because there was “still so much that can go wrong”.

“A proper fix for this issue would be to re-architect the SSO process,” he said.
Difficulties reporting bugs

The most simple of Mr Cubrilovic’s recommendations from last year was to have a clear point of contact for users to report website bugs.

Mr Liew said he posted a video on YouTube documenting the flaw because attempts to report the bug via myGov and ATO customer service channels had resulted in him being hung up on twice. One staff member even told him to reboot his computer, he said.

In his video Mr Liew described speaking to four separate myGov support staff over an hour, none of whom were able to log the issue and direct it to security. He then rang ATO support, only to be told to contact myGov.

An ATO spokesperson said the department had reviewed its call with Mr Liew and while its staff member had been “professional and courteous at all times”, she had “incorrectly referred the user to the myGov hotline”.

“We recognise that on this occasion the user received incorrect advice,” the spokesperson said, adding that the issue was being addressed via coaching and feedback.

Mr Cubrilovic described the failure to implement a clear channel for reporting bugs as “gross neglect” and said he had experienced similar issues as Mr Liew when trying to alert myGov about security flaws in the past. Action was taken only after he contacted a senior IT staff member directly via Twitter, he said.





One Response to “Taxpayer records exposed due to a data breach”

  1. Taxpayer records exposed due to a data breach | Australian Law Blogs

    […] Taxpayer records exposed due to a data breach […]

Leave a Reply

Verified by MonsterInsights