Two major Government departments have been told to strengthen cyber security defences after an audit found they were vulnerable to attacks that could compromise sensitive information.
The report found the Australian Taxation Office (ATO) and the immigration department had "insufficient protection against cyber security attacks from external sources".
This audit comes after a 2014 review of security found the Department of Human Services (DHS) had improved its defence against external attacks, internal breaches and unauthorised disclosures.
"To progress to being cyber resilient, the Australian Taxation Office and the Department of Immigration and Border Protection (DIBP) need to improve their governance arrangements and prioritise cybersecurity," the audit said.
The report warned that these agencies were responsible for national security data, personal information that could reveal birthdays, tax file numbers, bank account details, biometric data, and driver's licence numbers.
"Not operating in a cyber resilient environment puts entities' data and business processes at risk, with potentially significant consequences for Australian citizens and other clients and stakeholders," it said.
"The ATO and DIBP had security controls that provided a reasonable level of protection from breaches and unauthorised disclosures of information from internal sources.
"However, there was insufficient protection against cyber attacks from external sources".
The report found more than 1,400 Immigration staff had installed and run unauthorised applications on their computers, which increased security risks.
It also found both departments had outdated and unsupported software, which is contrary to advice from the Government's cyber security experts.
In response to the audit, the tax office said it would commit extra resources to address deficiencies.
Both agencies accepted the audit's recommendations.
