Show download pdf controls
  • Data breach guidance for business

    Information security is an important aspect of your business. It’s important you keep all your business, staff and client information secure. If your data is lost or compromised, it can be very difficult and costly to recover.

    Data breaches are often a precursor for refund fraud. We have sophisticated mechanisms in place for identifying and protecting against potential refund and superannuation fraud to assist in meeting its obligation to protect government revenue.

    Data breaches and client protection

    A data breach occurs when confidential taxpayer information has been accessed by an unauthorised third party.

    This information may include:

    • employee payroll, tax, and superannuation information
    • confidential business documents
    • banking details.

    Examples of data breaches include but are not limited to:

    • unauthorised removal of computers, data, or records in both paper and digital formats
    • people with legitimate access to the data using it for fraudulent means
    • accessing taxpayer files using a fraudulently obtained credential such as myGovID
    • criminals exploiting vulnerabilities in your IT security controls, hacking or phishing for information
    • accidental disclosure of information – for example, records emailed to an unauthorised third party, or hard copies left in a public place
    • payroll information for your employees being unlawfully accessed
    • unauthorised access to cloud based accounting software you use to store information.

    What we recommend you do

    You are encouraged to report any data breaches to us to ensure protective measures can be placed on client accounts, protecting them and government revenue from further harm.

    If a breach occurs within your business we recommend the following actions.

    • Contact us on 1800 467 033 Monday to Friday, 8.00am–6.00pm, so that we may apply measures to protect your business, staff and clients where necessary.
    • Contact our Digital Partnership Office (DPO) on 1300 139 052 Monday to Friday, 8.00am–6.00 pm, if you are a digital service provider or software developer.
    • Review this guidance materialExternal Link on the Office of the Australian Information Commissioner (OAIC) website to ensure you comply with any obligations you may have under the Privacy Act 1988, including the Notifiable Data Breaches Scheme (NDBS).
    • Inform impacted employees or business associates of the breach. This may include software providers, such as your payroll services, if you suspect the breach originated in one of their service offerings.
    • Consider what information was accessed during the breach and take steps to safeguard this where necessary – for example, you may need to report inappropriate access to your myGovID
    • Take steps to secure the information in your business by ensuring all security software and controls are up to date.
    • Review systems access and remove it for people who no longer require it.
    • Continue to follow security best practice to reduce the risk in your business and reinforce these practices with your staff.

    If you, your impacted employees, clients or business associates are concerned about the security of other personal information and the wider impact of identity theft, we recommend you speak with IDCARE on 1300 432 273. IDCARE provide free advice and confidential support to victims of data breaches and identity theft.

    Case study: Business email compromise

    Business email compromise presents an increasing risk to business. Attackers gain access to corporate email accounts and spoof the business email address in an attempt to steal personal identifying information or defraud the company, its employees or customers of money.

    Spoofing is where an email is sent from a fake website or email address disguised as a legitimate website or email address, in this case the tax agent. By hovering over the email address, the true source of the email can be identified.

    A recent report advised a tax agent’s email address was spoofed by a fraudster. The fraudster sent an email, which seemed legitimate, to the agent’s client list asking them to complete a personal data request form. This was an attempt to harvest client identifying information with the aim to commit future identity and tax fraud.

    We took immediate action and applied protective measures within our systems to affected client accounts, entity accounts and employee accounts.

    Cyber and phishing attacks can be deadly for business and are often the precursor to further attacks on your client, business and employee data. If you receive a suspected scam phishing email, do not click on any links, attempt to open the attachment, download any files, or install applications; these files may install a virus on your computer in an attempt to steal identity credentials.

    See also:

    How we protect clients affected by a data breach

    If a data breach has occurred at your business it is important you understand the steps we may take to safeguard taxpayer data and our taxation and superannuation system.

    Treatment options

    We may apply treatment options to any files impacted by the breach in order to protect our clients and government revenue.

    These treatments may include asking for additional proof of ownership, requesting additional verification for forms we receive (including tax returns) and the removal of access to online services such as ATO online.

    Additional monitoring processes

    When a breach has occurred we will continue to monitor any impacted ATO records to ensure transactions on these accounts are accurate. If we identify any irregular activity, we may contact you to verify the accuracy of the information provided or legitimacy of any account activity.

    This may delay our processing of income tax returns and other forms.

    What this means for you:

    • your record may not be accessible through our online channels or myGov
    • pre-fill data may not be available
    • we may prevent business activity statements from issuing automatically; you will need to contact us before each lodgment so we can generate these statements
    • we may stop income tax returns and other forms for verification; this may delay our processing of these forms.

    Appointment of a data breach manager

    In some cases we may assign a data breach manager who will assist you in the management of data breaches within your business. The data breach manager can provide support to lessen the impact of the data breach on your business and your client.

    Inappropriate access to myGovID

    myGovID offers a greater level of security with identity document verification, compared to username and password credentials and SMS verification codes.

    If you are aware or suspect someone has inappropriately accessed your personal information in myGovID, you need to report this immediately.

    Contact the myGovID support line on 1300 287 539 (select option 2 for myGovID enquiries) between 8.00am and 6.00pm AEST, Monday to Friday.

    International callers can contact us by phoning our switchboard on +61 2 6216 1111 between 8.00am to 5.00pm AEST and request your call be transferred to the myGovID support line.

    See also:

    • Visit myGovIDExternal Link for more information and tips about myGovID security and staying safe online.
    Last modified: 31 Mar 2020QC 54172