Services Australia has seen a massive surge in data breaches by scammers harvesting information from previous hacks and using it to access customer accounts, Guardian Australia can reveal.
Data obtained under freedom of information by a user, known as CR, on the transparency website Right to Know reveals that, as of 5 July, Services Australia had reported 49 data breaches as a result of social engineering – where people call an agency pretending to be someone in order to access information – in 2024.
The figure was more than 440% higher than the nine social engineering-related reports across the whole of 2023. Just one report of such a breach was recorded in each of the previous three years.
The agency also reported four instances where data was compromised by people using stolen or compromised credentials – indicating they were logging into Services Australia’s system under someone else’s login – in 2022 and 2023
Services Australia’s general manager, Hank Jongen, confirmed the increase came as a result of an increase in the use of personal information that had been stolen elsewhere.
“The vast majority are the result of customer information becoming compromised through previous third-party data breaches occurring in Australia and overseas, as well as from small- and large-scale identity theft or phishing scams and from mail theft,” Jongen said.
“The increase in notifiable data breaches in recent years across industry and government reflects the growing trend of scammers impersonating organisations and targeting individuals to steal sign-in credentials and other personal information.”
Jongen said the number of users who had their personal information in their online accounts potentially accessed by unauthorised people was much higher – with 14,000 notified in the 2023-24 financial year.
Although the specific breaches were not attributed, the spike in reports came after high-profile data breaches affecting tens of millions of Australians, including Medibank and Medisecure.
Jeremy Kirk, an analyst with cyber-threat intelligence firm Intel 471, said data breaches provided a consistent drip-feed of fresh identity information that could be used for account takeovers, fraud and other ID-theft schemes.
“Every organisation that runs online customer-facing systems faces challenges ensuring that only an authorised account holder is actually the one accessing the account,” he said.
“These info-stealers scrape all kinds of data from web browsers, from credentials to cookies to credit card and personal data. These data packages are sold in underground cybercriminal forums and on chat services such as Telegram.”
Kirk said cybercriminals were also overcoming defences, including two-factor authentication, through phishing schemes over email or text designed to trick people into giving up security codes.
“Then they immediately login into an account. There’s other security telemetry that service providers can use to try to detect unauthorised logins, but it can be very difficult to stop.”
The office of the Australian information commissioner (OAIC), where Services Australia reported the breaches, said this month said that most data breaches reported in the first half of 2024 by government entities were a result of social engineering or impersonation.
“It is essential that government agencies, especially those with service delivery functions, model best practice and build community trust in their ability to protect the security of personal information they hold,” the OAIC said.
Jongen said if people were concerned their account information had been compromised, they should sign in to their account, check for any activity they don’t recognise and check the personal details and contact information are correct.
Those who suspected their account had been compromised could call Services Australia’s dedicated hotline on 1800 941 126, he said.