Show download pdf controls
  • Protective measures for individuals following a data breach

    Criminals use personal information stolen via data breaches to commit identity crimes. This can leave their victims with a bad credit rating and impact their ability to gain finance, run a business or to access government services.

    Once your identity is stolen it can take a long time to recover.

    Data breaches are often a precursor for refund fraud. The ATO has sophisticated mechanisms in place for identifying and protecting against potential refund and superannuation fraud to meet its obligations to protect government revenue and clients.

    Data breaches and client protection

    You may be impacted by a data breach where your personal information is stolen by an unauthorised third party for intended misuse. This can include both physical and digital records.

    A data breach may be a result of:

    • your employer's or tax agent's accounts being compromised
    • a home or office break in
    • someone hacking into your computer systems or via targeted phishing emails, which compromise your electronic devices
    • your records being accidentally left somewhere.

    What we recommend you do

    • If you are notified of a breach, or suspect you have been a victim of a data breach, contact us on 1800 467 033 Monday to Friday, 8:00am–6:00pm to discuss the level of security safeguards that may need to be applied to your account.
    • If you are concerned about the security of your other personal information and the wider impact of identity theft, we recommend you speak with IDCARE on 1300 432 273. IDCARE provide free and confidential support to victims of data breaches and identity theft.
    • We recommend you review your current security practices to ensure you are aware of how to keep your information safe.

    See also:

    How we protect clients affected by a data breach

    If fraud has occurred on your tax records we will work with you to rectify this. We may also apply protective measures on your account to protect it from future identity and refund fraud incidents.

    If you are the victim of a data breach we may ask you for additional proof of record ownership before we discuss your tax affairs.

    This will apply when you interact with us. Even if you use a tax professional, we may request that you contact us directly.

    Asking questions only you will know assures us we are dealing with the genuine client, and not an unauthorised third party.

    You may also elect to have a secret password created on your record. You can complete this with our staff over the phone or by attending one of our shopfronts with proof-of-identity documentation. Secret passwords validate a client’s identity when they deal with us.

    If we are unable to establish your proof of identify over the phone we may request you attend a shopfront or complete the tax file number enquiry form on the Australia Post website.

    See also:

    Additional monitoring processes

    We will continue to monitor your record. If we identify any irregular activity, we may contact you or your registered tax professional to ensure the activity is legitimate. This may delay our processing of income tax returns and other forms.

    Additional security measures

    Depending on your circumstances, we may also apply additional security measures within our systems. These measures prevent particular activity where we perceive increased risk to our taxation and superannuation systems and government revenue.

    What this means for you:

    • your record may not be accessible through our online channels or myGov
    • pre-fill data may not be available
    • we may stop income tax returns and other forms for verification; this may delay our processing of these forms
    • we may prevent business activity statements from issuing automatically; you or your tax professional will need to contact us before each lodgment so we can generate these statements
    • AUSkey applications will be delayed while we confirm the validity of the application with you.

    Change AUSkey password

    If you are aware or suspect that your AUSkey has been compromised, we recommend you log in to the Australian Business Register AUSkey website and change your password.

    If you are a standard AUSkey holder you should also inform the AUSkey Administrator.

    If you are the Administrator AUSkey holder you should cancel an AUSkey when you are alerted to unauthorised access. You should also:

    • check AUSkey Manager and confirm all transactions are legitimate
    • regularly log in to AUSkey Manager to ensure only those authorised to have access to the portals hold active AUSkeys
    • cancel AUSkeys for staff who no longer require them
    • remove access immediately if your client has any concerns about an individual AUSkey holder's activities
    • ensure any employee who deals with us online on behalf of your business has their own AUSkey
    • keep AUSkey passwords secure – they should not be shared.

    See also:

    • Further information on how to change your password is available on the AUSkey websiteExternal Link.
    • Contact the AUSkey technical helpline for assistance on 1300 AUSKEY (1300 287 539)
    Last modified: 04 Jan 2018QC 54174