ATO toughens IT systems against data leaks

The Australian Tax Office has revealed it is in the first year of an IT security hardening project aimed at instituting data leakage protection across its environment.

Chief information officer Bill Gibson told iTnews that the hardening project was examining enhancements and tools that could be used to make sure tax data was "only available via approved and known channels".

"The privacy and integrity of taxpayer data is just so important for us," Gibson said.

"When we hear about information being leaked or lost by private or public enterprises - we routinely ask how well Tax Office is placed to manage such incidents."

Data leakage protection was a "multi-dimensional issue" for the agency, he said, noting that the ATO wanted to be able to monitor and track information as it left the organisation.

The Office also wants to be able to "stem" data exfiltration attempts (i.e. unauthorised releases of data from tax office systems).

"The sophistication of some of the approaches being taken by interlopers is extremely high," Gibson said.

"We are looking at defences we need to put in place."

Gibson said the Tax Office already had strong "data exchange infrastructure and governance mechanisms" in place between agencies and other parties entitled to receive data.

The ATO also monitors outbound email for keywords and combinations, scanning "every item that goes in or out" of its email system.

"We look for sensitive information, even staff information," he said.

The email scanning started in 2009 and had become more sophisticated over time. Gibson said the ATO had reduced email incidents to a "handful of low risk breaches" each month.

"Every breach is investigated and people asked, for example, why it was necessary to post information to their home email," Gibson said.

"If it is inappropriate, they get counselled. If it reoccurs their employment can be terminated. We are very strong on that."

He said employees knew email services were monitored ("we police it, but not in a covert way"). He said the policy was supported internally.

The ATO had also been active in raising "community awareness" of data leakage issues among third-parties it dealt with, such as tax agents.

"For example a tax agent has sent information about their clients. It includes their tax affairs, bank information and so on," Gibson said.

"What happens if someone breaks into a tax agent's office, pinches the equipment and the equipment is not suitable secured? All that information is then deemed compromised."

Gibson said the ATO had not suffered a major data leakage breach but that it had plans in place should an incident arise.

"We've always thought that if we were breached, how would we handle it? If a taxpayer's information has been lost, how do we handle it?"

"We have procedures in place to deal with that contingency for many years because that is a reality. We exercise it regularly enough, so it is well-oiled."

Such a data leakage incident could put ATO revenue at risk.

"If someone gets someone else's tax file number and that is not detected, then due revenue can be compromised and affect consolidated revenue," Gibson said.

Hardening ATO systems to deal with IT security threats has been on the agency's radar for several years.

An April 2008 review of information security practices at the Tax Office by PricewaterhouseCoopers [pdf] recommended laptops be encrypted and hardened "including consideration of controls to protect information stored on laptop hard drives and the security of communications channels that permit remote access to the Tax Office network".

Gibson said this had been implemented and he was also a user of encrypted thumb drives if he needed to share data with other users.

"We make those available to staff that need to take information with them," he said.

ICT contractors that engage with the Tax Office are also advised of hardening procedures for IT systems they implement.