ato logo
Search Suggestion:

Data breach guidance for businesses

If your business experiences a data breach, there are steps you can take to limit damage to your business.

Last updated 21 May 2023

How data breaches can happen

A data breach occurs when confidential taxpayer information has been accessed by an unauthorised third party.

This information may include:

  • employee payroll, tax, and super information
  • confidential business documents
  • banking details.

Examples of data breaches include, but are not limited to:

  • unauthorised removal of computers, data, or records in both paper and digital formats
  • people with legitimate access to the data using it for fraudulent activity
  • accessing taxpayer files using a fraudulently obtained credential, such as myGovID
  • criminals exploiting vulnerabilities in your IT security controls, hacking or phishing for information
  • accidental disclosure of information, for example, records emailed to an unauthorised third party or hard copies left in a public place
  • payroll information for your employees being unlawfully accessed
  • unauthorised access to cloud-based services you use to store information.

How to prepare for a data breach

It is crucial for businesses of all sizes to have a data breach response plan in place. It details the roles and responsibilities that need to be actioned if your business encounters a data breach.

The Office of the Australian Information Commissioner (OAIC)External Link provides guidance on how to create a strong data breach response plan. For example, it should include:

  • clear escalation procedures and reporting lines for suspected breaches
  • processes that outline when and how affected individuals are notified
  • a record-keeping policy to ensure breaches are documented
  • strategies to identify and address any data handling weaknesses that could have contributed to the breach

You should regularly review and test your plan to ensure it is current and addresses the requirements outlined by the OAIC.

Educating yourself and your employees on potential red flags of a data breach can help you quickly identify and implement your response plan. Indicators include:

  • receiving texts or emails about login attempts, password resets or multifactor authentication codes that you didn't request, such as myGov codes
  • noticing changes to files and document that were not made by you or your staff
  • your devices behaving differently such as glitching or running abnormally slow
  • logins from devices and locations you don’t recognise in your account activity or sign-in logs.
  • unexplained or unexpected activity on your credit file or bank account statements.

Further information on detecting data breaches and cyber incidents is available from the Australian Cyber Security CentreExternal Link.

What to do after a data breach

You should report any data breaches to us so we can place protective measures on client accounts.

If a breach occurs within your business, we recommend you:

  • Phone our Client Identity Support Centre on 1800 467 033 Monday to Friday, 8:00 am–6:00 pm AEST, so that we can apply measures to protect your business, staff and clients where necessary.
  • If you are a digital service provider or software developer, use the Report data breach form within Online Services for DSPsExternal Link, or phone the SBR Service Desk on 1300 488 231, available every day, 8:00 am–6:00 pm AEST.
  • Review the Office of the Australian Information Commissioner's (OAIC) information about notifiable data breachesExternal Link to make sure you comply with your obligations under the Privacy Act 1988, including the Notifiable Data Breaches (NDB) scheme.
  • Tell affected employees or business associates about the breach. These may include software providers, such as your payroll services, especially if you suspect the breach originated in one of their service offerings.
  • Consider what information was accessed during the breach and take steps to safeguard this where necessary. For example, you may need to report inappropriate access to your myGovID.
  • Take steps to secure the information in your business by updating all security software and controls.
  • Review systems access and remove it for people who no longer need it.
  • Continue to follow security best practicesExternal Link and reinforce these practices with your staff to reduce the risk to your business.

If you, your impacted employees, clients or business associates are concerned about the security of other personal information and the wider impact of identity theft, we recommend you speak with IDCAREExternal Link on 1800 595 160. IDCARE provide free advice and confidential support to victims of data breaches and identity theft.

Start of example

Case study: Compromise of business email account

Compromised business email accounts are an increasing risk to business. Fraudsters gain access to corporate email accounts and spoof the business email address. They do this to steal personal identifying information or to defraud the company, its employees or customers of money.

Spoofing is where an email is sent from a fake website or email address disguised as a legitimate website or email address. If you hover the mouse icon over the email address, the true source of the email will be shown.

A recent report advised a tax agent’s email address was spoofed by a fraudster. The fraudster sent an email, which seemed legitimate, to the agent’s client list asking them to complete a personal data request form. This was an attempt to harvest client identifying information to commit future identity and tax fraud.

We took immediate action and applied protective measures to the affected client, entity and employee accounts.

Cyber and phishing attacks can be very damaging for business and can often lead to further attacks on your client, business and employee data.

Staff education is critical. If you receive a suspected scam phishing email, do not:

  • click on any links
  • open any attachments
  • download any files
  • install any applications.

These files may install a virus on your computer to steal identity credentials.

End of example

How we protect clients affected by a data breach

If a data breach has occurred at your business, it is important you understand the steps we may take to safeguard taxpayer data and our tax and superannuation systems.

To protect the community we may apply treatment options to any files impacted by the data breach, which may include:

Additional proof of identity

If your business is the victim of a data breach, we may ask you for additional proof of record ownership before we discuss your tax affairs. This will apply when you interact with us. Even if you use a tax professional, we may request that you contact us directly.

Asking questions only you will know assures us we are dealing with your business and not an unauthorised third party.

You may also choose to have a secret password created on your record. Secret passwords validate your identity when you deal with us.

You can set up a secret password with our staff over the phone. However, if we are unable to establish your proof of identify over the phone we may request you visit a shopfront with proof-of-identity documentation or complete the tax file number enquiry form on the Australia PostExternal Link website.

Additional monitoring processes

When a breach has occurred we will continue to monitor any impacted ATO records to make sure transactions on these accounts are accurate. If we identify any irregular activity, we may contact you to verify the accuracy of the information provided or the legitimacy of any account activity.

This may delay processing of tax returns and other forms.

Additional security measures

Depending on the circumstances, we may apply additional security measures within our systems.

If we apply these measures:

  • you may not be able to use our online channels or myGov
  • pre-fill data may not be available
  • we may prevent business activity statements from issuing automatically. You will need to contact us before each lodgment so we can generate these statements.
  • we may need to make extra checks for tax returns and other forms that could delay processing.

Appointment of a data breach manager

In some cases, we may assign a data breach manager who will assist you in the management of data breaches within your business. They can provide support to reduce the impact on your business and your client.

Inappropriate access to myGovID

myGovIDExternal Link uses encryption and cryptographic technology and the security features in your device, such as fingerprint or face, to protect your identity.

If you are aware or suspect someone has inappropriately accessed your personal information in myGovID, you need to report this immediately.

Contact the myGovID support line on 1300 287 539 (select option 2) between 8:00 am and 6:00 pm AEST, Monday to Friday.

International callers can contact us by phoning our switchboard on +61 2 6216 1111 between 8:00 am to 5:00 pm AEST, Monday to Friday, and requesting your call be transferred to the myGovID support line.

For more information and tips about staying safe online, see myGovID securityExternal Link.

To help protect your business from a data breach, we recommend you: