Data breach guidance for individuals

How data breaches can happen

You may be impacted by a data breach where your personal information is stolen by an unauthorised third party. Data breaches can include both physical and digital records.

A data breach may be a result of:

• your employer, tax agent or another organisation's accounts being compromised
• a home or office break-in
• someone gaining unauthorised access into your computer systems or using targeted phishing emails to compromise your electronic devices
• your records being inadvertently left in an unsecured location.

Criminals can use personal information stolen during data breaches to commit identity crime. If your identity is stolen, it is difficult to recover.

How to prepare for a data breach

A data breach can happen to anyone, whether through unauthorised access, phishing, stolen devices, or large-scale corporate incidents.

Preparing ahead of time can greatly reduce harm and help you respond quickly if your personal information is compromised.

Steps you can take to reduce your risk

1. Strengthen your digital security

Use strong, unique passwords or passphrases for each digital account or platform. Reusing the same or similar passwords across platforms increases the impact if one service is breached.

2. Turn on multi-factor authentication (MFA) where possible

MFA adds an extra layer of protection by requiring a second form of verification, such as a code sent to your phone or an app. This significantly reduces the risk of unauthorised access, even if your password is compromised.

3. Keep your devices and apps up to date

Where possible, automatic software and system updates should be enabled to ensure updates are applied in a timely manner. Antivirus and security software should be enabled and maintained at a current version.

4. Regularly review your accounts

Check bank accounts, online services and email accounts for suspicious or unusual activity, such as:

• logins you don’t recognise
• unexpected charges
• changes to account details.

Report anything unusual to the provider immediately.

5. Learn to recognise scams

Scammers often exploit data breaches or other events to make fraudulent messages seem more convincing. Be cautious of unexpected emails, text messages, or phone calls asking for personal information, payments, or login details, even if they appear legitimate.

For more information, see:

• Cyber security tips for individuals for more information on how to protect your identity
• Verify or report a scam for information on what to do if you think you have encountered a scam.

What to do after a data breach

If you are notified of a breach or suspect you have been a victim of a data breach, you can contact us to discuss the level of security safeguards you may need applied to your account. Phone our Client Identity Support Centre on 1800 467 033 between 8:00 am and 6:00 pm AEDT, Monday to Friday.

IDCAREExternal Link provide free and confidential support to victims of data breaches and identity theft. If you are concerned about the security of your personal information and the wider impact of identity theft, phone IDCARE on 1800 595 160.

Find out more about how to help secure your identity:

• Top cyber security tips for individuals
• Increasing your online security with myID.

How we protect clients affected by a data breach

If fraud has occurred on your tax records, we will work with you to fix your account. We may also apply protective measures to protect your account from future identity and refund fraud incidents. These protective measures may include:

• Additional proof of identity
• Additional monitoring processes
• Additional security measures.

Additional proof of identity

If you are the victim of a data breach and you contact us, we may ask you for additional proof of record ownership before we discuss your tax affairs. If you use a tax professional, we may request that you contact us directly.

To discuss additional levels of security safeguards that you can apply to your account, phone our Client Identity Support Centre on 1800 467 033 between 8:00 am and 6:00 pm AEDT, Monday to Friday.

Additional monitoring processes

We will continue to monitor your record. If we identify any irregular activity, we may contact you or your registered tax professional to make sure the activity is legitimate. This may delay the processing of tax returns and other forms.

Additional security measures

Depending on your circumstances, we may apply additional security measures in our systems.

If we apply these measures:

• you may not be able to use our online channels or myGovExternal Link unless you have a Strong Digital ID, such as myID.
• pre-fill data may not be available
• we may need to make extra checks for tax returns and other forms that could delay processing
• we may prevent business activity statements from issuing automatically. You or your tax professional will need to contact us before each lodgment so we can generate these statements.
• your digital identity may be suspended while we investigate if there has been a compromise in our online environment.