To protect the integrity of the tax and superannuation systems, DSPs must maintain the highest standards for managing the integrity of confidential taxpayer information.
This page provides the protocols for identifying and reporting security events and data breaches to the ATO.
Definitions
DSPs must distinguish between general security events and those involving the exposure of sensitive data.
Security event
Any event that has, or has the potential to have, an adverse impact on the confidentiality, integrity, and availability of DSP systems. Security events may or may not involve the exposure of confidential taxpayer information.
Data breach
A type of security event where confidential taxpayer information (individual and non-individual) held within a DSP system is reasonably suspected to have been exposed to an unauthorised third party. This includes breaches occurring via fourth party supply chains or integrated services.
Confidential taxpayer information (individual and non-individual) includes, but may not be limited to:
- Tax file numbers (TFNs)
- Government issued ID documents, such as Driver’s License, Medicare Card, or Passport
- Banking or financial details
- Employee payroll, tax, or super information (e.g., Payee Payroll ID, OTE/PAYG withholding amounts, or tax treatment codes)
- Identity attributes linked to tax records, (e.g., relationship/biographical data, shared secrets/authorised representative information, or myID strength levels)
Examples of other security events (no data breach)
Security events that do not result in the exposure of confidential taxpayer information may include:
- Stolen credentials or account take overs (e.g. unauthorised password resets) where no confidential taxpayer information is exposed
- Distributed Denial of Service (DDoS) attacks
- Blocked or unsuccessful intrusion attempts
- Malware detected and contained with no data access
Reporting requirements
When to report
You must report a data breach within one business day once identified. Initial notification should occur as soon as practicable to allow the ATO to implement protective measures on client accounts and prevent fraudulent lodgments. We do not expect a complete forensic picture at this stage.
In most cases, a security event without exposure of confidential taxpayer information will not need to be reported to the ATO.
If you are unsure whether an event meets the threshold for reporting, it is always better to report. Early engagement allows the ATO to assist in assessing the risk and ensures the integrity of confidential taxpayer information.
How to report
You must report data breaches via the report data breach ticket in the DSP service desk within Online services for DSPs. This ensures we can assess the risk or threat and undertake preventative action to reduce impacts to the ATO and community, including protecting any potentially compromised accounts from fraud.
What information to provide
To allow our teams to take immediate corrective action, you must provide the following data in your initial report:
- Basic event information: DSP product name, date identified, and whether the issue is currently ongoing
- Data attributes: the specific types of information affected (e.g., client identifiers, bank accounts) and the approximate number of impacted client records
You may provide the following at the same time or once it has been collected:
- Forensic evidence: where available, attach logs, screenshots, or summaries of unauthorised changes to client records
- Technical metadata: relevant IP addresses, session IDs, indicators of compromise (e.g., malware or phishing details)
ATO handling of reported information
In accordance with the Archives Act (1983), where a security event or data breach is reported, the information provided becomes part of ATO’s records and will be retained for the appropriate period.
Information provided in these reports is used solely for the purposes of securing client accounts, investigating the scope of the breach, and improving the overall security of the tax ecosystem.
Compliance and mutual obligations
Where a breach has been reported, the ATO works collaboratively with DSPs to mitigate risk. We may take the following actions:
- Apply security measures to protect client accounts
- Provide communication direct to a user of an impacted product
- Switch off an impacted product or API
- Suspend or delay access to APIs.
Note: Failure to report a known data breach may result in the de-whitelisting of the software product.
Reporting data breaches to the ATO is a requirement under the DSP Operational Security Framework (OSF). This does not replace your legal obligation to assess and notify the Office of Australian Information Commissioner (OAIC) under the Notifiable Data Breaches (NDB) scheme