It also goes against the advice of the government website.
As spotted by Twitter user Daniel Rose, the pawnbroker and loan provider Cash Converters requires people receiving Centrelink benefits to provide their myGov access details as part of its online approval process.
A Cash Converters spokesperson said the company gets data from myGov, the government's tax, health and entitlements portal, via a platform provided by the Australian financial technology firm Proviso.
Luke Howes, CEO of Proviso, said "a snapshot" of the most recent 90 days of Centrelink transactions and payments is collected, along with a PDF of the Centrelink income statement.
Some myGov users have two-factor authentication turned on, which means they must enter a code sent to their mobile phone to log in, but Proviso prompts the user to enter the digits into its own system.
This lets a Centrelink applicant's recent benefit entitlements be included in their bid for a loan. This is legally required, but does not need to occur online.
Keeping data safe
A Department of Human Services spokesperson said users should not share their myGov credentials with anyone.
"Anyone who is concerned they may have provided their username and password to a third party should change their password immediately," she added.
Disclosing myGov login details to any third party is unsafe, according to Justin Warren, chief analyst and managing director of IT consultancy firm PivotNine.
Especially given it is the home of My Health Record, Child Support and other highly sensitive services.
Nigel Phair, director of the Centre for Internet Safety at the University of Canberra, also advised against it.
He pointed to recent data breaches, including the credit score agency Equifax in 2017, which affected more than 145 million people.
Not only does Cash Converters ask for myGov details, it also prompts loan applicants to submit their internet banking login — a process followed by other lenders, such as Nimble and Wallet Wizard.
Cash Converters states in its terms and conditions that the applicant's account and personal information is used once and then destroyed "as soon as reasonably possible."
However, some subsequent "refreshing" of the data may occur for a period of up to 90 days.
