Show download pdf controls
  • Data breach guidance for businesses

    Information security is an important aspect of your business. You need to keep all your business, staff and client information secure. If your data is lost or compromised, it can be very difficult and costly to restore.

    Data breaches often lead to refund fraud. We have sophisticated methods in place to identify and protect against potential tax and super fraud.

    On this page:

    How data breaches can happen

    A data breach occurs when confidential taxpayer information has been accessed by an unauthorised third party.

    This information may include:

    • employee payroll, tax, and super information
    • confidential business documents
    • banking details.

    Examples of data breaches include, but are not limited to:

    • unauthorised removal of computers, data, or records in both paper and digital formats
    • people with legitimate access to the data using it for fraudulent activity
    • accessing taxpayer files using a fraudulently obtained credential, such as myGovID
    • criminals exploiting vulnerabilities in your IT security controls, hacking or phishing for information
    • accidental disclosure of information, for example, records emailed to an unauthorised third party or hard copies left in a public place
    • payroll information for your employees being unlawfully accessed
    • unauthorised access to cloud-based services you use to store information.

    What we recommend you do

    You should report any data breaches to us to make sure protective measures can be placed on client accounts.

    If a breach occurs within your business we recommend the following actions:

    • Contact our Client Identity Support Centre on 1800 467 033 Monday to Friday, 8.00am–6.00pm AEST, so that we can apply measures to protect your business, staff and clients where necessary.
    • If you are a digital service provider or software developer contact our Digital Partnership Office (DPO) on 1300 139 052 Monday to Friday, 8.00am–6.00pm AEST.
    • Review the Office of the Australian Information Commissioner's (OAIC) information about notifiable data breachesExternal Link to make sure you comply with your obligations under the Privacy Act 1988, including the Notifiable Data Breaches Scheme (NDBS).
    • Tell affected employees or business associates about the breach. These may include software providers, such as your payroll services, especially if you suspect the breach originated in one of their service offerings.
    • Consider what information was accessed during the breach and take steps to safeguard this where necessary – for example, you may need to report inappropriate access to your myGovID.
    • Take steps to secure the information in your business by updating all security software and controls.
    • Review systems access and remove it for people who no longer need it.
    • Continue to follow security best practices and reinforce these practices with your staff to reduce the risk to your business.

    If you, your impacted employees, clients or business associates are concerned about the security of other personal information and the wider impact of identity theft, we recommend you speak with IDCAREExternal Link on 1800 595 160. IDCARE provide free advice and confidential support to victims of data breaches and identity theft.

    Case study: Compromise of business email account

    Compromised business email accounts are an increasing risk to business. Fraudsters gain access to corporate email accounts and spoof the business email address. They do this to steal personal identifying information or to defraud the company, its employees or customers of money.

    Spoofing is where an email is sent from a fake website or email address disguised as a legitimate website or email address. If you hover the mouse icon over the email address, the true source of the email will be shown.

    A recent report advised a tax agent’s email address was spoofed by a fraudster. The fraudster sent an email, which seemed legitimate, to the agent’s client list asking them to complete a personal data request form. This was an attempt to harvest client identifying information to commit future identity and tax fraud.

    We took immediate action and applied protective measures to affected client, entity and employee accounts.

    Cyber and phishing attacks can be very damaging for business and can often lead to further attacks on your client, business and employee data.

    Staff education is critical. If you receive a suspected scam phishing email, do not:

    • click on any links
    • open any attachments
    • download any files
    • install any applications.

    These files may install a virus on your computer to steal identity credentials.

    End of example

    See also:

    How we protect clients affected by a data breach

    If a data breach has occurred at your business it is important you understand the steps we may take to safeguard taxpayer data and our tax and super system.

    To protect the community we may apply treatment options to any files impacted by the data breach. These treatments may include:

    Additional proof of identity

    If your business is the victim of a data breach we may ask you for additional proof of record ownership before we discuss your tax affairs. This will apply when you interact with us. Even if you use a tax professional, we may request that you contact us directly.

    Asking questions only you will know assures us we are dealing with your business and not an unauthorised third party.

    You may also choose to have a secret password created on your record. Secret passwords validate your identity when you deal with us.

    You can set up a secret password with our staff over the phone. However, if we are unable to establish your proof of identify over the phone we may request you visit a shopfront with proof-of-identity documentation or complete the tax file number enquiry form on the Australia Post website.

    Additional monitoring processes

    When a breach has occurred we will continue to monitor any impacted ATO records to make sure transactions on these accounts are accurate. If we identify any irregular activity, we may contact you to verify the accuracy of the information provided or the legitimacy of any account activity.

    This may delay processing of tax returns and other forms.

    Additional security measures

    Depending on the circumstances, we may apply additional security measures within our systems.

    If we apply these measures:

    • you may not be able to use our online channels or myGov
    • pre-fill data may not be available
    • we may prevent business activity statements from issuing automatically. You will need to contact us before each lodgment so we can generate these statements.
    • we may need to make extra checks for tax returns and other forms that could delay processing.

    Appointment of a data breach manager

    In some cases, we may assign a data breach manager who will assist you in the management of data breaches within your business. They can provide support to reduce the impact on your business and your client.

    Inappropriate access to myGovID

    myGovID uses encryption and cryptographic technology and the security features in your device, such as fingerprint or face, to protect your identity.

    If you are aware or suspect someone has inappropriately accessed your personal information in myGovID, you need to report this immediately.

    Contact the myGovID support line on 1300 287 539 (select option 2) between 8.00am and 6.00pm AEST, Monday to Friday.

    International callers can contact us by phoning our switchboard on +61 2 6216 1111 between 8.00am to 5.00pm AEST, Monday to Friday, and requesting your call be transferred to the myGovID support line.

    See also:

    • myGovIDExternal Link for more information and tips about myGovID security and staying safe online.

    Find out about:

    Last modified: 27 Jul 2021QC 54172