Show download pdf controls
  • Data breach guidance for business

    Information security is an important aspect of your business. It’s important you keep all your business, staff and client information secure. If your data is lost or compromised, it can be very difficult and costly to recover.

    Data breaches are often a precursor for refund fraud. We have sophisticated mechanisms in place for identifying and protecting against potential refund and superannuation fraud to assist in meeting its obligation to protect government revenue.

    Data breaches and client protection

    A data breach occurs when confidential taxpayer information has been accessed by an unauthorised third party.

    This information may include:

    • employee payroll, tax, and superannuation information
    • confidential business documents
    • banking details.

    Examples of data breaches include but are not limited to:

    • unauthorised removal of computers, data, or records in both paper and digital formats
    • people with legitimate access to the data using it for fraudulent means
    • accessing taxpayer files using a fraudulently obtained credential such as an AUSkey
    • criminals exploiting vulnerabilities in your IT security controls, hacking or phishing for information
    • accidental disclosure of information – for example, records emailed to an unauthorised third party, or hard copies left in a public place
    • payroll information for your employees being unlawfully accessed
    • unauthorised access to cloud based accounting software you use to store information.

    What we recommend you do

    You are encouraged to report any data breaches to us to ensure protective measures can be placed on client accounts, protecting them and government revenue from further harm.

    If a breach occurs within your business we recommend the following actions.

    • Contact us on 1800 467 033 Monday to Friday, 8.00am–6.00pm, so that we may apply measures to protect your business, staff and clients where necessary.
    • Contact our Digital Partnership Office (DPO) on 1300 139 052 Monday to Friday, 8.00am–6.00 pm, if you are a digital service provider or software developer.
    • Review this guidance materialExternal Link on the Office of the Australian Information Commissioner (OAIC) website to ensure you comply with any obligations you may have under the Privacy Act 1988, including the Notifiable Data Breaches Scheme (NDBS).
    • Inform impacted employees or business associates of the breach. This may include software providers, such as your payroll services, if you suspect the breach originated in one of their service offerings.
    • Consider what information was accessed during the breach and take steps to safeguard this where necessary – for example, you may need to cancel your AUSkey.
    • Take steps to secure the information in your business by ensuring all security software and controls are up to date.
    • Review systems access and remove it for people who no longer require it.
    • Continue to follow security best practice to reduce the risk in your business and reinforce these practices with your staff.

    If you, your impacted employees, clients or business associates are concerned about the security of other personal information and the wider impact of identity theft, we recommend you speak with IDCARE on 1300 432 273. IDCARE provide free advice and confidential support to victims of data breaches and identity theft.

    Case study: Fraudulent action

    A former employee of an accounting firm stole a large number of client details prior to moving to a new role at a competing accounting firm. Using the new employer's AUSkey, they changed bank account details of the first firm's clients. They then lodged a number of fraudulent tax returns in these clients' names in order to illegally obtain their tax refunds. The new firm terminated the employee as a result of the fraudulent activity.

    We worked with the businesses to cancel AUSkeys and issue new ones. Protective measures were applied within our systems to client accounts for each accounting firm.

    Unauthorised access to systems by past employees is a common cause of security breach, or fraud, for businesses. A disgruntled ex-employee may cause damage to your business through identity compromise, or by copying or destroying data.

    Both business owners and tax professionals are encouraged to regularly review system accesses, including AUSkey, and immediately revoke access to any person who no longer requires it, has changed roles, or are no longer employed by your organisation.

    See also:

    How we protect clients affected by a data breach

    If a data breach has occurred at your business it is important you understand the steps we may take to safeguard taxpayer data and our taxation and superannuation system.

    Treatment options

    We may apply treatment options to any files impacted by the breach in order to protect our clients and government revenue.

    These treatments may include asking for additional proof of ownership, requesting additional verification for forms we receive (including tax returns) and the removal of access to online services such as ATO online.

    Additional monitoring processes

    When a breach has occurred we will continue to monitor any impacted ATO records to ensure transactions on these accounts are accurate. If we identify any irregular activity, we may contact you to verify the accuracy of the information provided or legitimacy of any account activity.

    This may delay our processing of income tax returns and other forms.

    What this means for you:

    • AUSkey applications will be delayed while we confirm the validity of the application with the them
    • your record may not be accessible through our online channels or myGov
    • pre-fill data may not be available
    • we may prevent business activity statements from issuing automatically; you will need to contact us before each lodgment so we can generate these statements
    • we may stop income tax returns and other forms for verification; this may delay our processing of these forms.

    Appointment of a data breach manager

    In some cases we may assign a data breach manager who will assist you in the management of data breaches within your business. The data breach manager can provide support to lessen the impact of the data breach on your business and your client.

    Change AUSkey password

    If you are aware or suspect that your AUSkey has been compromised, we recommend you log in to the Australian Business Register AUSkey website and change your password.

    If you are a standard AUSkey holder you should also inform the AUSkey Administrator.

    If you are the Administrator AUSkey holder, you should cancel an AUSkey when you are alerted of unauthorised access. You should also:

    • check AUSkey Manager and confirm all transactions are legitimate
    • regularly log in to AUSkey Manager to ensure only those authorised to have access to the portals hold active AUSkeys
    • cancel AUSkeys for staff who no longer require them
    • remove access immediately if your client has any concerns about an individual AUSkey holder's activities
    • ensure any employee who deals with us online on behalf of your business has their own AUSkey
    • keep AUSkey passwords secure – they should not be shared.

    See also:

    • Further information on how to change your password is available on the AUSkey websiteExternal Link
    • Contact the AUSkey technical helpline for assistance on 1300 AUSKEY (1300 287 539)
    Last modified: 07 Dec 2018QC 54172