A data breach occurs when personally identifiable information (PII) an entity holds is subject to unauthorised access or disclosure to an unknown party. This may be caused by a failure in security systems, information handling, human error, or malicious action.
Data breaches may be identified through security monitoring practices by the DSP or the ATO. If we identify anomalies or areas of concern, we will work with you to address and limit the damage. In these situations, we will contact a DSP before taking serious action, for example, de-whitelisting, unless exceptional circumstances apply.
Where you identify anomalies, breaches, or security incidents, it is a requirement for DSPs to report to DPO for the ATO to mitigate damage.
A data breach may include:
- identity details being accessed or viewed by an unknown third party
- identity details compromised due to illegal access by third-party activity, for example, common online threats such as malware, spyware, or ransomware
- potentially fraudulent lodgment or action resulting from compromised identity
- mistakenly providing information to an unknown third party, for example, sending details to the wrong email address
- a breach of a third-party product or service integrating with DSP APIs.
On this page
- When to report a data breach
- How to report a data breach
- Actions we will take post breach notification
- Security tips for clients
When to report a data breach
You should report a data breach immediately from the time you are aware that PII data has been breached. This needs to be done as soon as practicable and ideally within a few hours so we can implement preventative action.
After the initial reporting of the data breach, you can then provide information in stages whilst undertaking your own internal investigations.
How to report a data breach
You must report data breaches via the incident report form in the DSP service desk within Online services for DSPs or email SBRServiceDesk@ato.gov.au. This ensures we can assess the risk or threat and undertake preventative action to reduce impacts to the ATO and community, including protecting any potentially compromised accounts from fraud.
For us to act and limit the harm caused by a data breach, we require the following information (when known):
- Appropriate contact person (specialist IT security/fraud representative).
- Nature of the breach.
- Number of affected records.
- Date and timestamp.
- Session ID reference.
- Host Services (Internet Service Provider)/IP address.
- Device ID (ESID) if available.
- Identifiable information (name/address/biographical information).
- Whether TFN details were exposed.
- Product name and type (desktop or cloud).
- What format the data is in (for example, CSV or encrypted).
Actions we will take post breach notification
We will take action to protect the integrity and confidentiality of taxation and superannuation systems. We will collaborate with you where action required relates to your product. Disclosure of action taken on client records will not be provided to you due to privacy legislation.
Where a breach has been reported or identified, we may take the following actions:
- apply security measures to protect client accounts
- provide communication direct to a user of an impacted product
- switch off an impacted product or API
- suspend or delay access to APIs.
Security tips for clients
We have security advice for tax professionals, businesses and individuals.
The Australian Cyber Security Centre also has targeted guidance for individuals and business to stay safe online, including implementing the essential 8.