Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

What to do after a data breach notification

You’ve found out that your personal information was involved in a data breach by an agency or organisation. This guide covers the steps you can take, which may help reduce the chance of experiencing harm.

Data breaches can be distressing for many people. We have listed a range of relevant support services below and you may wish to reach or to family and friends for support.

Receiving a data breach notification

Australian Government agencies and organisations with obligations under the Privacy Act 1988 (Privacy Act) must notify individuals affected by certain data breaches under the Notifiable Data Breaches (NDB) scheme (see Receiving data breach notifications). In a notification, they must give you information about the data breach and recommend steps you can take to reduce the chance of harm. You may be notified about a data breach directly (such as by an email) or indirectly by the agency or organisation promoting a notification on their website.

If you want more information about a notified data breach, get in touch with the agency or organisation that experienced the breach.

Is this a real data breach notification, or a phishing scam?

A phishing scam is an attempt by scammers to trick you into giving them your personal information, such as your bank account details or passwords.

Avoid clicking on links in emails, or sharing your personal information on the phone or by email, unless you are certain that the agency or organisation that has contacted you is genuine. Instead, contact the agency or organisation through publicly available contact details (such as the phone book or their website).

Read more about scams on Scamwatch.

Take action to reduce your risk of harm

By acting quickly after you’ve been notified of a data breach, you can reduce your chance of experiencing harm.

Listed below are some steps you could take, depending on the type of personal information involved in the data breach.

Keep a record of any action you take or any assistance you seek. This may become useful if you experience harm as a result of the data breach.

Financial information e.g. credit card details, online banking login

  • If you have questions about a data breach that aren’t answered by a data breach notification, contact your bank or financial institution. Only contact your financial institution using contact details found on their website or in the phonebook

  • Change your online banking account passwords. Make sure you have strong passwords that you have not used for other accounts.

    •  When updating your internet banking passwords, go to the financial institution’s website directly by typing their web address into your web browser. Remember, generally banks will not initiate contact with you with an email requesting you to click on a link to update your password.

    • You might also consider enabling multi-factor authentication for your accounts if it is available. Multi-factor authentication requires you to confirm your identity with two or more pieces of evidence (such as a password and a security code sent to your mobile phone). Having multi-factor authentication makes it more difficult for someone to gain access to your online accounts.

  • Change your banking PIN number

  • Monitor your bank account transactions online and bank account statements. If you spot any purchases you didn’t make, immediately report these to your bank

  • Stay Smart Online has further information about creating strong passwords and two-factor authentication.

Contact information e.g. home address, email, phone number

  • Know how to spot a scam. Scamwatch provides helpful information about protecting yourself from scams. You can subscribe to their Scamwatch Radar newsletter for email alerts on the latest scams. Be aware that if your name and contact details were involved in a data breach, a scam email might be personalised and address you by name.

  • Change your email account passwords. Make sure you have strong passwords that you haven’t used for other accounts.

  • If you emailed yourself online account passwords, such as your online banking password, change these as well.

  • Enable multi-factor authentication for your email accounts where possible.

  • Ensure you have up-to-date anti-virus software installed on any device you use to access your emails.

  • Do not open attachments or click on links in emails or social media messages from strangers or if you’re unsure that the sender is genuine.

  • Do not share your personal information until you are certain about who you are sharing it with. If someone calls you and claims to be from an agency or organisation, you can hang up and call the agency or organisation back using publicly available contact details (e.g. from their website or a phone book) to be sure you are really talking to a staff member from that agency or organisation.

  • If your physical safety is at risk, contact the police. If your mental health and safety is at risk, contact your doctor, your local crisis team, or one of the organisations listed below under ‘Support services’.

Health information

  • If you have questions that aren’t answered by a data breach notification, get in contact with the health service provider about the data breach

  • Contact your doctor, local crisis team, one of the support services listed below, or your family or friends if you experience distress.

Sensitive information About sexuality, race, political views, etc.

  • Contact the agency or organisation that experienced the data breach if you have questions that aren’t answered by a data breach notification

  • Contact your doctor, local crisis team, one of the support services listed below, or your family or friends if you experience distress.

  • If your physical safety is at risk, contact the police.

  • The Office of the eSafety Commissioner has resources that provide advice on a range of online safety issues, which may help you if you experience online harassment, racism, or abuse.

Tax file number information

  • If your tax file number or other tax-related information is involved in a data breach, contact the Australian Taxation Office (ATO). The ATO can apply security measures that will monitor any unusual or suspicious activity with your TFN. If you suspect the misuse of your TFN, you can phone the ATO’s Client Identity Support Centre on 1800 467 033 between 8.00am and 6.00pm, Monday to Friday

  • Find out more about protecting yourself from identity fraud below.

Government identity document information e.g. driver’s licence, Medicare card, passport

Protecting yourself from identity fraud

Identity fraud (also known as ‘identity theft’) involves someone using another person’s personal information without consent, often to obtain a benefit. For example, identity fraud can result in someone using another person’s identity to open bank accounts, obtain a credit card, apply for a passport, or conduct illegal activity.

If you suspect you could be a victim of identity fraud:

  • Report the matter to your local police. Ask for a police report or reference number so you have evidence that you reported the issue.

  • Inform the agency or organisation that issued your identity document.

  • Contact your bank or financial institution and tell them what happened.

  • Change your account passwords and close any unauthorised accounts.

  • You can contact IDCARE. IDCARE is Australia’s national identity and cyber support service. They can connect you with a specialist identity and cyber security counsellor for expert advice.

  • You can get a copy of your credit report to check it is accurate (you are entitled to a free credit report every year). This report will also show you which organisations have recently checked your credit history, so you can tell them not to authorise a new account in your name. Find out more about accessing your credit report.

  • Consider contacting credit reporting bodies to place a ban period on your credit report (see our Privacy fact sheet 37: Fraud and your credit report). This means they will not be able to share your credit report with credit providers without your consent for 21 days (unless extended).

    The credit reporting bodies in Australia are:

  • Apply for a Commonwealth victims’ certificate. This certificate helps support your claim that you have been the victim of a Commonwealth identity crime. You can present the certificate to government agencies or businesses to re-establish your credentials or remove fraudulent transactions from their records. Read more on the Attorney-General’s Department website.

  • You can contact the Australian Cybercrime Online Reporting Network (ACORN) to securely report instances of cybercrime. You will receive a reference number for the report. ACORN is a national policing initiative of the Commonwealth, State, and Territory governments.

  • IDCARE, Stay Smart Online and the Australian Federal Police have published guidance on what you can do to lower your risk of experiencing identity theft.

Making a privacy complaint

If you think that a data breach may affect your personal information and you have not been notified, you can contact the agency or organisation and ask them for information about the data breach (including whether your personal information was affected).

You can make a complaint to our office if you believe an agency or organisation that is required to comply with the NDB scheme did not promptly notify you about a data breach that:

  1. involved your personal information, and
  2. was likely to result in serious harm.

For more information about who is required to comply with the NDB scheme, see scheme our guide on Entities covered by the NDB scheme.

You can also complain to our office if you believe that a data breach raises other privacy issues, such as a failure to reasonably secure personal information. More information about making a privacy complaint can be found at What can I complain about?

Before making a complaint to the OAIC you must first complain to the agency or organisation, and give it a reasonable opportunity to respond.

Other resources

Support services

If you experience distress, reach out to family or friends or to one of the support services below for help.