Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Global hack of managed service providers

21 December 2018

The Office of the Australian Information Commissioner (OAIC) advises managed service providers which may be affected by a global cyber security hack to take steps to ensure Australians’ personal information is being safeguarded.

The Australian Cyber Security Centre (ACSC) has also provided advice for managed service providers and their customer organisations about the hack and how to respond.

If Australians’ personal information may have been compromised, managed service providers must carry out an assessment to determine whether there has been an eligible data breach. This assessment should be done as quickly as possible and generally within 30 days.

Under Australia’s Notifiable Data Breaches scheme, organisations must notify affected individuals and the OAIC when personal information has been lost, or subject to unauthorised access or disclosure, and serious harm is likely to result.

Organisations should contact their managed service providers if they are concerned their data may have been affected.

If personal information is held by more than one organisation ‒ such as a managed service provider and its customer organisations ‒ only one organisation needs to conduct the assessment. If notification is required, the entities involved may determine which one is best placed to notify.

The OAIC website provides additional information about data breaches involving more than one organisation.

Advice for individuals

Anyone who is concerned that their personal information has been compromised can take steps to secure their personal information by:

  • Immediately changing passwords for important online accounts and not using the same password across different accounts
  • Creating hard-to-guess passwords or passphrases of at least 12 characters and turning on two-factor authentication when available
  • Obtaining a free copy of their credit report to check for unusual activity
  • Being wary of email and telephone scams, including those which claim to be from a reputable company or an organisation you deal with. If you’re unsure, get in touch with the organisation using contact details from a verified website or another trusted source.

For more information on how to protect your identity or respond to a data breach notification visit the OAIC website or IDCARE’s Learning Centre. For general advice on how to stay safe online visit the ACSC Stay Smart Online website.