"A lot of people had their tax returns made out fraudulently. Scammers used our data to fraudulently put in a tax return for the last financial year."
Mitchell did not know how scammers got access to her files, but said they would then ring victims pretending to be the ATO, saying the amount of money returned was a mistake.
"They say, 'You need to send money to this account.' Usually an offshore account," Mitchell said.
"There's a lot of unsuspecting people out there who don't realise they are not the ATO."
The couple has not yet been contacted by the ATO and the A$26,000 (NZ$28,011) is still sitting in their bank accounts.
Mitchell said she had requested more information about the breach from her tax agent and questioned whether she needed to change her tax file number and other personal details.
"It's a bit disconcerting from a security perspective," she said.
"If it's overseas scammers I won't be too concerned but if it's somebody within Australia they would know a lot of things about us through those records.
"I'm concerned they got our address and phone number and could just turn up at the door and be forceful. That would be my concern and I am hoping it's not within Australia."
Mitchell was concerned the ATO was not checking lodged tax returns and just sending out the money.
"Scammers have managed to get into files and create documentation and the ATO did not have any checks in place. Obviously nobody checks the money they pay out," she said.
"If they looked up my name they would have seen the amount I get every year and then looked at the $16,000 they were paying out and thought that was strange.
"They just paid it without doing the checks, they clearly have a lot of money to spend, but who is checking the tax stuff? You look at that and you think you could put anything down and they'll pay anything."
Mitchell wants the money removed from her account as soon as possible so she's not sitting there looking at it.
"It's mixed up with my money as well. I like to know how much I've got to spend and not be overdrawn. I also want some assurances basically that our private details are safe and secure now," she said.
H&R Block director of tax communications Mark Chapman told the Daily Telegraph the company had a number clients contacted by scammers asking for bank account details for fraudulent refunds. Scammers also asked for clients to pay tax debts that didn't exist.
"They have established that the way to make these scams work is to be as forceful, threatening and aggressive as they can," he said.
"People don't think straight when they feel under pressure, and are more likely to do things that they otherwise wouldn't."
He said the ATO would never ask somebody to pay a debt over the phone.
The ATO told news.com.au it was investigating recent reports impacting two tax agents whose clients reported unexpected tax refunds in their bank accounts, but said there was no information to suggest ATO systems had been compromised.
"Fraudsters steal personal identification information via various methods from sources outside of the ATO," assistant commissioner Kath Anderson said.
"This information is used to impersonate ATO clients and lodge fraudulent tax refunds. The protection of client information is a shared responsibility of the ATO and a broader network of trusted partners.
"The impacted agents proactively contacted the ATO and together we are working in partnership to mitigate the risk to clients and revenue."
Anderson said the ATO's priority was to support clients affected by identity crime and prevent fraudulent refunds from being paid out.
"The ATO investigates identified fraudulent refunds and looks for commonalities across those refunds to address and identify the extent of the fraud, potential improvements for our risk detection capabilities, opportunities for enhanced security measures and those responsible for the fraud," she said.
"The ATO has sophisticated risk models in place that enable us to scrutinise every tax return to identify refund fraud, blatant errors and higher risk claims. Only a very small percentage of 13 million individual returns lodged each year are found to be fraudulent."
Anderson said if tax agents notified the ATO of a potential data breach, it initiated a number of processes to protect the client.
ATO staff ask additional questions when validating a client's identity and it monitors ATO records of impacted clients.
"If we identify any irregular activity, we make contact to ensure the activity is legitimate," Anderson said.
The ATO recommends impacted businesses or practices to immediately advice any of their clients affected by a data breach.
"We may also contact your clients directly. We will collaborate with you on the best way to communicate this information to them," Anderson said.
