‘Severe consequences’ for employees involved in hacking taxpayer profiles

Posted on

South African Revenue Service (SARS) Commissioner Edward Kieswetter has warned that any lapse in integrity among employees, particularly involving collusion with taxpayers, will be met with severe consequences.

In an interview with eNCA’s Heidi Giokos, Kieswetter said such misconduct will result in immediate dismissal and criminal prosecution.

Kieswetter disclosed that SARS has “had a number of reports of profile hacking”. He said the primary issue often stems from taxpayers or tax practitioners sharing or compromising their profiles. This could happen when the same password is used across multiple platforms.

“If you use the same password when you do your online purchases, when you do your Facebook, when you do your X account, and now you use the same password for SARS, you compromise yourself,” Kieswetter explained.

He advised: “Use a very unique password for your tax-filing system and for your bank, and change it when you need to, because these are the high-risk access (points.)”

Another significant risk, according to Kieswetter, is clicking on links that are not from official SARS websites or channels.

“Do not click on a link. We will not ask you for personal information in an unprotected environment. We use two-factor authentication. Unfortunately, not all taxpayers use two-factor authentication,” he said.

However, Kieswetter acknowledged that SARS must also remain vigilant about its own vulnerabilities, stating, “In humility, we also have to accept if there is any risk on our side. We work hard to identify our internal risks. We continuously improve our systems.”

Threat from international cybercrime syndicates

A Sandton-based ICT firm has become one of the latest victims in the recent wave of hacked SARS eFiling profiles, losing a R20-million tax refund.

According to a Sunday Times article, an independent investigator suggested that SARS appeared hesitant to acknowledge and investigate claims that the theft might involve insiders providing sophisticated syndicates with access to the system.

In response to these allegations, a media statement from SARS stated that the tax authority thoroughly investigated the alleged crime, with the primary focus on uncovering any internal irregularities or possible complicity by SARS staff.

Kieswetter confirmed that SARS investigated this matter and found that no negligence or liability could be attributed to SARS. He added, “Meaning that SARS can therefore not be held liable for the criminal action reported by the Sunday Times. SARS will assist the company and all law enforcement agencies in any investigations that must follow to uncover the source of this tax crime.”

Kieswetter further noted that profile hijackings highlight the pervasive nature of cybercrime with global links. He acknowledged that the sophistication of such crimes is constantly evolving, placing SARS, like all financial institutions, under constant threat from international cybercrime syndicates.

Office of the Tax Ombud inquiry under way

In the meantime, the Office of the Tax Ombud (OTO) says it has found evidence that a small minority of tax practitioners may be complicit in the hijacking of taxpayer profiles.

OTO senior manager Talitha Maude said during a recent webinar the Office has encountered at least three cases where there have been complaints about refunds being paid into the “wrong” accounts because of hijackings. SARS’s investigations indicated there were no hijackings.

Last month, the OTO stated it had obtained approval from the Minister of Finance to conduct a review of possible systemic and emerging issues related to alleged SARS’s service failures in assisting taxpayers with eFiling profile hijacking timeously in terms of section 16(1)(b) of the Tax Administration Act.

OTO describes “systemic issues” as “underlying problems that can be considered as the root causes of complaints affecting or likely to affect many taxpayers in the tax system. These issues often pertain to how specific SARS systems operate, how they formulate and implement policies, practices or procedures, and how they apply or ignore legislative provisions.”

This investigation comes in response to complaints and queries received by the OTO from taxpayers, industry bodies, and participants in a public workshop held on 13 June with SARS, taxpayers, and industry representatives.

Read: Tax Ombud to investigate widespread taxpayer profile hijackings

SARS has welcomed the inquiry by the OTO, stating that “SARS is co-operating with OTO and looks forward to the recommendations that will be made on how best to combat the scourge of profile hijacking.”