← Government App
F

myGov App

Fail
Services Australia · 🇦🇺 Australia
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: myGov
Manufacturer: Services Australia

⚠️ The bottom line

$557 million stolen through fake myGov accounts in a single year. Criminals figured out they could create a myGov account, link it to someone else's tax file number, and lodge a fraudulent tax return — collecting the refund before the real person even knew. The Inspector-General called the system "fundamentally flawed." Half a billion dollars says he was right. The government used myGov's data-matching infrastructure to compare ATO tax records with Centrelink payments — then sent automated debt notices to 443,000 people. Many debts were wrong. The scheme was illegal from day one. People killed themselves over debts they never owed. The Royal Commission called it "a crude and cruel mechanism." The government repaid $1.76 billion. The dead did not come back.

Legal jurisdiction
🇦🇺 Australia (headquarters)
Assistance and Access Act read more →
Govt can force companies to build backdoors in encryption — and gag them from telling you
Metadata Retention read more →
ISPs and telcos must store 2 years of your connection data for law enforcement
Spying
3/4 HIGH
Is someone spying on me?
Kids at risk
Data Sharing
4/4 EXTREME
Who gets my data?
Kids at risk
Security
3/4 HIGH
Is it actually secure?
Kids at risk
Honesty
3/4 HIGH
Can I trust what they say?
REPLACE Extreme risk. Look for alternatives or lock down hard.
11Contradictions
4Critical
7High
0Medium
13Sources
Findings by concern
Spying 3/4 HIGH 2 findings
⚡ highpolicy vs observed
The government app that connects your tax, Medicare, Centrelink, and child support gives you a unique Adobe tracking ID and records your every interaction. Staff can literally "play back" what you did in the app. They say it does not identify you — while assigning you a unique identifier that persists across sessions and tracks which government services you access. Five million Australians using biometric login are being session-recorded by Adobe.

What they claim: myGov states Adobe Experience Platform has been "set up to operate on myGov without collecting information that identifies you."

What we found: The myGov app uses Adobe Experience Platform with a unique identifier called an "Adobe Experience Cloud ID" assigned to each user. It also uses Google Analytics 360. While myGov claims these don't identify users, Adobe assigns a persistent unique ID that tracks all interactions across sessions. Additionally, "authorised staff can play back user interactions" — meaning your navigation through Centrelink, Medicare, tax, and child support is recorded and reviewable.

⚡ highpolicy vs observed
Your face scan — taken to prove your identity to the Australian government — can end up with iProov, a private company in the United Kingdom. If their system flags your selfie as "suspicious or inconclusive," they keep your biometric data for 14 days and can use it for "performance validation and testing." A UK company is using Australian citizens' faces as test data for their commercial product. The government said your data stays in Australia.

What they claim: myGov states "personal information will be stored securely in Australia" and biometric images are "destroyed within 14 days."

What we found: The OAIC found that iProov, a UK-based third party, may hold biometric information for 14 days "in circumstances where the image is suspicious or inconclusive" and may use it for "performance validation and testing purposes." In cases where the real person check fails, "a biometric image may be viewable by a contracted third-party in the United Kingdom." Australian citizens' facial biometrics are being sent offshore to a private UK company that can use them for testing.

Data Sharing 4/4 EXTREME 4 findings
⚠️ criticalprivacy policy vs regulatory
The government used myGov's data-matching infrastructure to compare ATO tax records with Centrelink payments — then sent automated debt notices to 443,000 people. Many debts were wrong. The scheme was illegal from day one. People killed themselves over debts they never owed. The Royal Commission called it "a crude and cruel mechanism." The government repaid $1.76 billion. The dead did not come back.

What they claim: myGov privacy policy describes data sharing between linked services as necessary for service delivery

What we found: Data matching between ATO income data and Centrelink records through myGov infrastructure was the mechanism behind the illegal Robodebt scheme, which issued $1.76 billion in unlawful debts to 443,000 Australians. A Royal Commission found the scheme was illegal from inception and contributed to suicides.

⚡ highprivacy policy vs app permissions
myGov is the front door to every government service in Australia — Centrelink, Medicare, ATO, NDIS. 19 million Australians have no choice but to use it. The app tracks you with Google Analytics and collects device fingerprints, meaning Google gets a log every time you check your tax return or welfare payment. You cannot opt out because there is no alternative.

What they claim: myGov privacy policy states data is collected only for service delivery purposes

What we found: The myGov app requests device identifiers, advertising ID access, and uses Google Analytics tracking. A 2023 OAIC assessment found the app collected more metadata than necessary for authentication, including device fingerprinting data that persisted across sessions.

⚡ highmarketing vs third party research
An elderly woman cried in a Services Australia office because she could not figure out how to link her Medicare to myGov. She is one of 5.7 million Australians who lack basic digital skills. The Senate called myGov "not fit for purpose." The government's response? More app updates.

What they claim: myGov is promoted as the inclusive digital gateway for all Australians

What we found: A 2023 Senate inquiry found myGov was "not fit for purpose" for elderly, disabled, and digitally illiterate Australians. Witnesses described elderly people crying in Services Australia offices because they could not navigate the app. The Digital Transformation Agency acknowledged that 5.7 million Australians lack basic digital literacy.

⚡ highmarketing vs observed
The government pushed 5.6 million Australians onto an app designed in 2013 — logging 122 million sign-ins in 18 months — while knowing its security was inadequate. Multi-factor authentication for changing your bank details was not even required until the Ombudsman forced the issue in 2024. They built a digital-first strategy on decade-old security, and citizens paid for it with $25.5 million in fraud losses.

What they claim: The Australian Government is pushing "digital first" service delivery, with myGov app now handling over one-third of 864,000 average daily sign-ins and logging 122 million sign-ins in 18 months.

What we found: While pushing citizens onto digital platforms, Services Australia admitted the platform was designed in 2013 and its security had not kept pace with threats. The Ombudsman found security was "not adequate." Multi-factor authentication for high-risk transactions was not implemented until recommended by the Ombudsman in 2024. Passkeys were only introduced in July 2024. The government pushed 5.6 million people onto an app while knowing its security architecture was a decade out of date.

Security 3/4 HIGH 3 findings
⚠️ criticalmarketing vs regulatory
The Ombudsman found myGov's security was "not adequate." Ten thousand people had their accounts hijacked in one year. Fraudsters linked victims' Medicare and Centrelink to fake myGov accounts and stole $25.5 million through bogus tax returns. The government admitted the platform was designed in 2013 and the threat landscape had "deteriorated substantially" since then. They knew it was outdated and insecure and kept pushing 5.6 million people onto it anyway.

What they claim: myGov promotes strong security protections and states "your privacy is protected by law."

What we found: The Commonwealth Ombudsman's August 2024 report "Keeping myGov Secure" found security measures "did not adequately protect people" from fraud. Over 10,000 people reported misuse of their myGov accounts in 12 months — double the previous year. Fraudsters stole $25.5 million through fake tax returns by exploiting "unauthorised linking" vulnerabilities. Services Australia admitted the "cyber threat landscape has deteriorated substantially since myGov was first designed and implemented in 2013."

⚠️ criticalmarketing vs observed
Services Australia saw a 330% increase in impersonation breaches in the first half of 2024. Three hundred scams per week were impersonating myGov. Staff failed to ask basic security questions, letting fraudsters change bank details and steal disaster relief payments. The agency that holds every Australian's tax, health, and welfare data had "coordinated fraud activity operating systematically" against it — and its own staff were not following security procedures.

What they claim: Services Australia promotes myGov as secure and states it keeps "peoples information secure" with "strong security processes and protections."

What we found: Services Australia reported 43 data breaches involving impersonation or social engineering between January and July 2024 alone — a 330% increase from 10 such breaches across all of 2023. The agency was dealing with "more than 300 scams per week impersonating myGov" and saw "coordinated fraud activity operating in an opportunistic and systematic way." Staff in some cases failed to ask required security questions, enabling fraudsters to change bank details and lodge false claims.

⚡ highmarketing vs observed
myGov markets convenience: all your government services in one app. What that actually means is one phishing email gives a criminal access to your tax returns, Medicare claims, Centrelink payments, child support records, and disability services simultaneously. The Ombudsman found this is exactly what happened — fraudsters linked victims' accounts to fake myGovs and raided everything at once. Convenience for you means convenience for criminals.

What they claim: myGov promotes the convenience of linking all government services — Centrelink, Medicare, ATO, Child Support, My Health Record, NDIS — in one place.

What we found: This single-point-of-access design means that when a myGov account is compromised, attackers gain access to tax records, health claims, welfare payments, child support, and disability services simultaneously. The Ombudsman found fraudsters exploited "unauthorised linking" to connect victims' Medicare and Centrelink accounts to fake myGov accounts, enabling multi-service fraud. One compromised account gives access to a citizen's entire government identity.

Honesty 3/4 HIGH 2 findings
⚠️ criticalmarketing vs regulatory
$557 million stolen through fake myGov accounts in a single year. Criminals figured out they could create a myGov account, link it to someone else's tax file number, and lodge a fraudulent tax return — collecting the refund before the real person even knew. The Inspector-General called the system "fundamentally flawed." Half a billion dollars says he was right.

What they claim: myGov claims robust identity verification and security measures

What we found: The ATO reported $557 million in identity fraud via myGov in the 2022-23 financial year. Criminals were creating fake myGov accounts, linking them to real tax file numbers, and lodging fraudulent tax returns. The Inspector-General of Taxation called the system "fundamentally flawed".

⚡ highmarketing vs third party research
When myGov goes down, people cannot report their income to Centrelink. Miss a reporting deadline because the website crashed? You can lose your payment. Over 100 outages in 12 months. For the millions of Australians on welfare, a crashed website is not an inconvenience — it is a threat to next week's groceries.

What they claim: Services Australia promotes myGov as a convenient 24/7 digital portal

What we found: Major outages in 2022 and 2023 locked millions out of Centrelink, Medicare and ATO services during tax time and welfare reporting periods. A Senate Estimates hearing revealed the platform had over 100 outages in a 12-month period, with some lasting over 8 hours.

Sources