The Australian Taxation Office is fuming after cyber-criminals ruined the finale of Tax Time 2016 with an attack on the government’s web portal myGov.
The troubled myGov portal, which handles traffic to most federal government customer service sites, had to be taken offline on Monday as it came under the same sort of attack as the one that took down the census in August.
Monday’s incident occurred as thousands of taxpayers were trying to access the Tax Office website and lodge their annual tax returns before the cut-off deadline.
The ATO says there was nothing wrong with its sites and officials there are understood to be furious with the performance of their counterparts at the giant Department of Human Services, which runs myGov.
Do you know more? Send your tips to firstname.lastname@example.org
In the wake of the attack, the ATO was forced to offer a one-day extension to taxpayers to get their 2015-16 returns lodged, but did not come clean with users about what exactly happened.
Human Services is trying to keep details about the distributed denial of service (DDoS) attack quiet and refused to answer questions from Fairfax about the incident.
It is understood that myGov was hit with a very large DDoS attack starting about 3pm on Monday as thousands of taxpayers, as well as the usual traffic to Centrelink, Medicare and other official sites, were trying to log on.
DHS was forced to take myGov offline for about an hour after the attacks began, blocking access to a number of government websites including the Tax Office on one of its most important days of the year.
A distributed DoS attack overwhelms a system with a large volume of web traffic, much of it coming from computers and devices that have been hijacked by cyber criminals without the owners’ knowledge.
DHS will not say if it has referred Monday’s attack for investigation or what it believes might have motivated it, but Independent cyber-security expert Troy Hunt says DDoS attacks can have the most trivial motivation.
“Very often, there is no practical logical sensible reason why they aim to take down a particular party with a DDoS,” Mr Hunt said.
“Usually when there are reasons, they are often extremely childish: we keep seeing at Christmas time people taking down [gaming sites] PlayStation or Xbox Live because they just want to screw with kids.
“It’s not like they’re making a medium-term monetary gain through this, like some of the cases where companies have been held to ransom.”
The Tax Office made it clear it was not interested in talking publicly about Monday’s incident.
“The Department of Human Services administers myGov,” a Tax Office spokesman said.
“Any inquiries about the performance of myGov should be directed to DHS.”
The statement the ATO posted on its site after the take-down did not even hint at what was going on behind the scenes.
“Some taxpayers were experiencing slowness in logging on earlier today,” it said.
“Everything appears to be working now so we are encouraging people to try again.
“People don’t need to worry: penalties won’t apply for anyone who lodges their tax return tomorrow.”
A Human Services spokesman was giving little away when questioned by Fairfax.
“The department does not at any time comment on cyber security,” he said. “The department’s services, which include myGov, were affected by a short disruption on 31 October 2016, after which services were restored. We apologise to any customers who were inconvenienced.”