And they say the risk will increase from the middle of the year, when the government will make it compulsory for Australians to use the my.gov.au website to lodge their electronic tax returns, potentially also exposing their financial and banking records to hackers.
I expect two-factor authentication for information that is much less valuable.
Troy Hunt, security expert
The myGov site is used by 2.5 million Australians to access their Centrelink, Medicare, Child Support, Department of Veteran Affairs, e-health, and NDIS government accounts. If users link their different accounts, information accessible includes their name, date of birth, phone numbers, email address, Medicare number, child immunisation records, dates of doctor visits and drugs prescribed, welfare and childcare reimbursement payments.
But Sydney software architect and IT security consultant Troy Hunt said the controls used to protect the site were "insufficient" and "irresponsible" and considerably weaker than many other large websites such as Google, Twitter and note-taking app Evernote.
Advertisement
He called on the government to introduce "two-factor authentication" to better protect the sensitive information. The process is commonly used by banks and other sites, requiring users to put in a token, or code, sent to their mobile phone before they are allowed access to their account.
"I'm surprised and concerned that the security controls protecting my medical [and tax] records are less than those protecting my recipes stored in Evernote," Mr Hunt said. "I think given the class of information they're protecting I'd call it irresponsible simply because I expect two-factor authentication for information that is much less valuable."
