Data breaches

On this page:

What is a data breach

A data breach occurs when personally identifiable information (PII) an entity holds is subject to unauthorised access or disclosure to an unknown party. This may be caused by a failure in security systems, information handling, human error or malicious action.

Data breaches may be identified through security monitoring practices by the digital service provider (DSP) or the ATO. If we identify anomalies or areas of concern, we will work with you to address and limit the damage. In these situations, we will contact you before taking serious action, for example, de-whitelisting, unless exceptional circumstances apply.

Where you identify anomalies, breaches or security incidents, it is a requirement for you as a DSP to report to us so we can mitigate damage.

A data breach may include:

  • identity details being accessed or viewed by an unknown third party
  • identity details compromised due to illegal access by third-party activity, for example, common online threats such as malware, spyware, or ransomware
  • potentially fraudulent lodgment or action resulting from compromised identity
  • mistakenly providing information to an unknown third party, for example, sending details to the wrong email address
  • a breach of a third-party product or service integrating with DSP APIs.

When to report a data breach

You should report a data breach immediately from the time you are aware that PII data has been breached. This needs to be done as soon as practicable and ideally within a few hours so we can implement preventative action.

After the initial reporting of the data breach, you can then provide information in stages whilst undertaking your own internal investigations.

How to report an incident

You must report data breaches via the incident report form in the DSP hub or via the SBR service desk on 1300 488 231. This ensures we can assess the risk or threat and undertake preventative action to reduce impacts on us or clients, including protecting any potentially compromised accounts from fraud.

For us to act and limit the harm caused by a data breach, we require the following information (when known):

  • Appropriate contact person (specialist IT security/fraud representative)
  • Nature of the breach
  • Number of affected records
  • Date and timestamp
  • Session ID reference
  • Host services (Internet Service Provider/IP address)
  • Device ID (ESID) if available
  • TFN information
  • Non-TFN information (name/address/biographical information)
  • Product name and type (desktop or cloud)
  • What format the data is in (for example, CSV or encrypted).

Actions we will take post breach notification

We will take action to protect the integrity and confidentiality of taxation and super systems. We will collaborate with you where action required relates to your product. Disclosure of action taken on client records will not be provided to you due to privacy legislation.

Where a breach has been reported or identified, we may take the following actions:

  • Apply security measures to protect client accounts
  • Provide communication direct to a user of an impacted product
  • Switching off an impacted product or API
  • Suspend or delay access to APIs.

Last modified date