Problem: Australian Tax File Number (TFN) can be used to link a fake MyGov account and claim taxes on someone's behalf.
Suggestion: Hash all leaked accessible TFN on the darknet to inform people that they should request a new one from the ATO
Today, I went to the accountant and I have become Sue0. My TFN and email has leaked from somewhere, the bad guys used the deets to create a fake MyGov account. Somehow attached their fake account to my taxes (ATO) and claimed random things to be under the 10k threshold. Apparently, I am now divorced, gave 43k of gifts, have income protection and drove my car like a madman.
I am extremely cautious with my deets and have little exposure to the internet other than leaks of course (the only one attached to my personal email used for the ATO is the Deezer one)... but where is the TFN coming from?
hasmyTFNbeenp0wned.com because based on the ABC article there is a market for that and visibly they found ways to leverage that in a very lucrative way using our taxes (our nation money!) for their own benefits.
I am still waiting for the ATO call to know more about it.
There are many problems with this:
- There are no data breached in HIBP with Australian tax fie numbers
- If there were, they're extraordinarily time consuming to parse out as they adhere to a simple numeric pattern that can't simply be regex'd out like an email address
- Hashing would provide effectively zero protection as the entire range of tax file numbers could be pre-computed very quickly due to their small number of possible values
- No anonymity means storing sensitive personal data which is definitely off the cards
And FWIW, the vast majority of data on HIBP doesn't come from "the dark web", it's being exchanged en mass via clear web forums. I appreciate this doesn't help you solve your specific problem, but unfortunately the answer doesn't lie here.