Show download pdf controls
  • Data breach guidance for individuals

    If you have experienced a data breach that has compromised your tax identity, we have advice to help protect you.

    On this page

    If your personal information is lost or stolen

    If your personal information has been lost or stolen in a data breach, it can lead to identity crime, as well as fraud on your tax or superannuation accounts.

    If you have experienced a data breach that has compromised your tax identity, we have advice to help you protect your information and account.

    We can take action to identify and protect you against potential tax and super fraud.

    How data breaches can happen

    You may be impacted by a data breach where your personal information is stolen by an unauthorised third party. Data breaches can include both physical and digital records.

    A data breach may be a result of:

    • your employer, tax agent or another organisation's accounts being compromised
    • a home or office break-in
    • someone hacking into your computer systems or using targeted phishing emails to compromise your electronic devices
    • your records being accidentally left somewhere.

    Criminals can use personal information stolen during data breaches to commit identity crime. If your identity is stolen, it is difficult to recover.

    What to do after a data breach

    • If you are notified of a breach or suspect you have been a victim of a data breach, contact our Client Identity Support Centre on 1800 467 033 Monday to Friday 8:00 am–6:00 pm AEST. We will discuss with you the level of security safeguards that may need to be applied to your account.
    • If you are concerned about the security of your other personal information and the wider impact of identity theft, we recommend you speak with IDCAREExternal Link on 1800 595 160. IDCARE provide free and confidential support to victims of data breaches and identity theft.
    • We recommend you take note of our top cyber security tips for individuals to help make your identity more secure.

    How we protect clients affected by a data breach

    If fraud has occurred on your tax records, we will work with you to fix your account. We may also apply protective measures to protect it from future identity and refund fraud incidents, such as:

    Additional proof of identity

    If you are the victim of a data breach, we may ask you for additional proof of record ownership before we discuss your tax affairs. This will apply when you interact with us. Even if you use a tax professional, we may request that you contact us directly.

    Asking questions only you will know assures us we are dealing with a genuine client, and not an unauthorised third party.

    You may also choose to have a secret password created on your record. Secret passwords validate your identity when you deal with us.

    You can set up a secret password with our staff over the phone. However, if we are unable to establish your proof of identify, we may request you visit a shopfront with proof-of-identity documentation. You can also complete the tax file number enquiry form on the Australia PostExternal Link website.

    Additional monitoring processes

    We will continue to monitor your record. If we identify any irregular activity, we may contact you or your registered tax professional to make sure the activity is legitimate. This may delay the processing of tax returns and other forms.

    Additional security measures

    Depending on your circumstances, we may apply additional security measures within our systems.

    If we apply these measures:

    • you may not be able to use our online channels or myGovExternal Link
    • pre-fill data may not be available
    • we may need to make extra checks for tax returns and other forms that could delay processing
    • we may prevent business activity statements from issuing automatically. You or your tax professional will need to contact us before each lodgment so we can generate these statements.
    • your digital identity may be suspended while we investigate if there has been a compromise in our online environment.

    Large data breaches

    We are aware of large data breaches such as the Optus data breach and Medibank cyber incident and that people who have been affected might be concerned about their personal information.

    We want to assure you that ATO systems have not been affected.

    Last modified: 30 Nov 2022QC 54174