AFP says third-party system intrusion behind early-access super fraud

The Australian Federal Police has revealed that a third-party system intrusion led to a small number of fraudulent applications to the government’s early access superannuation scheme.

The Australia Taxation Office on Wednesday evening said the fraudulent activity had been detected after a “small number of people … had their personal details unlawfully used”.

It said ATO systems had not been hacked, which ATO commissioner Chris Jordan reiterated that at the senate inquiry into the government’s COVID-19 response on Thursday.

Related: How ANZ, Fintel Alliance sniffed out early super access fraud scheme

“As far as we know, our systems have not been compromised, however … there are obviously people in intermediaries that have access to our systems,” Jordan said.

AFP commissioner Reece Kershaw said that a system relating to a single third-party had been intruded, though did not indicate if this was a super fund or another ATO intermediary. 

“We do have our cyber team on this, and there has been an intrusion into a third-party,” he said.

“So we’re looking into that and how that system was intruded in particular and the actions taken from there. It’s quite sophisticated.”

He also confirmed that the fraudulent activity was not the result of a government system breach.

“It’s a third-party that sits outside of the government network,” Kershaw said.

Kershaw said that although the AFP was in the early stages of investigation, the fraud could have impacted as many as 150 victims.

“We have actually identified some bank accounts and had those bank accounts frozen with approximately $120,000 all up,” he said.

ATO chief information officer Ramez Katf, who also appeared at the committee, said while as many as 250 third-parties connected to ATO systems, there were a number of controls in place.

“We have a lot of different levels of security and controls that we put in place between us and a number of third-parties,” he said.

“We have about 250 different third-parties that connect to our systems, either transacting with us, providing us with data or accepting data. 

“And we’ve put in place a number of layers, requiring them [third-parties] to put in place some levels of security that they need to comply with."

He also said there were “a number of layers that try to prevent any of those fraudulent transactions and activities”.

“From our side, we track the transactions as they come through and we look for patterns, and look to try and identify those,” he said.