Data breaches

Organisations collect and store a lot of personal details. You trust them with your address, credit card number, health records and more.

Sometimes personal information is released to unauthorised people by accident, or as the result of a security breach. For example, an email with personal information can be sent to the wrong person, or a computer system can be hacked and personal information stolen. These are known as a data breaches, or data spills.

The Notifiable Data Breaches scheme

In Australia, the Notifiable Data Breaches scheme means many organisations must tell you if your personal data has been involved in a data breach and this has put you at risk of serious harm. This could include serious physical, psychological, emotional, financial, or reputational harm.

When an organisation notifies you about a data breach, they must also provide recommendations for how you can protect yourself.

The scheme applies to Australian Government agencies, businesses, and not-for-profit organisations with an annual turnover of more than $3 million, credit reporting bodies, and health service providers, among others.

What can I do to prevent data breaches?

Data breaches normally involve your information being stored on someone else’s system. In a practical sense, your ability to prevent data breaches relies on minimising the likelihood and impact of a breach of another organisation on you.

Prepare for the possibility of a breach

  • Minimise the amount personal information shared with an organisation. Only tell organisations the information they need to provide the services, rather than everything they ask for. For example, be careful about how much information you give away in security question for password recovery on websites: it might ask for your mother’s maiden name, but you can put something else in there if you will remember it.
  • Look for organisations that have a commitment to cyber security. Think twice about using businesses with a poor security reputation; take your business elsewhere if their cyber security is inadequate.

Minimise the impact of a breach

  • Avoid re-using passwords, so that if one of your service providers loses your password, it doesn’t compromise your access to other services. If you did use a compromised password in other places, reset the other service’s password immediately.
  • Back up important information. A data beach may not just result in a loss of personal information; it could also result in a loss of access to some information held by the affected organisation.
  • Use multi-factor authentication for critical services, such as your online tax return, or even email.

Understand the breach

  • Know how you are affected. If you are informed of a breach, or read about one in the media, make sure you understand what data may be affected. Visit the website of the affected organisation and look for any official communications. The personal impact to you will vary depending on what has been breached.
  • Validate communications from an organisation. Scammers might try to take advantage of you during the confusion of a data breach. For example, if you receive an email notifying you of a security breach, and asking you to reset your password, use the legitimate password reset process, rather than a link i nthe email.
  • Review access logs. Some online services, like webmail, allow you to view what devices, logins, or transactions have recently accessed your service. If you think your account has been compromised, check if you can view the logs.

How do I recover from a data breach?

The Office of the Australian Information Commission provides a range of steps you can take if your information has been released as part of a data breach.

You can also contact Australia and New Zealand’s national identity and cyber support service, IDcare, on 1300 432 273 or use their free Cyber First Aid Kit to help you work out what to do.