Respond to a data breach notification
On this page
- Act quickly to reduce your risk of harm
- Keep a record of what you do
- The action you take depends on the information involved
You may be told about a notifiable data breach directly, such as by an email, or indirectly, by the organisation or agency promoting a data breach notification on their website. By acting quickly, you can reduce your chance of experiencing harm.
You should also keep a record of any action you take or help you get. This may be useful if you experience harm as a result of the data breach.
A data breach can be distressing for many people. You may want to contact a support service or reach out to family or friends for support.
If you want more information about a data breach notification, contact the organisation or agency that experienced the breach.
How to reduce your risk of harm
A data breach notification should tell you what kind of information was involved and recommend actions you can take in response. We've given some suggestions below for:
- contact information
- financial information
- government-issued identity document information
- health information
- sensitive information
- tax file number and tax-related information
- consumer data right data
Your contact information includes your home address, email and phone numbers.
Change your passwords
Change your email account passwords. Make sure you have strong passwords that you haven’t used for other accounts.
If you emailed yourself online account passwords, such as your online banking password, change these as well.
Enable multi-factor authentication for your email accounts where possible.
Take care with emails
Know how to spot a scam. Scamwatch has help on protecting yourself from scams. If your name and contact details were involved in a data breach, a scam email might be personalised and address you by name.
Ensure you have up-to-date anti-virus software installed on any device you use to access your emails.
Don’t open attachments or click on links in emails or social media messages from strangers or if you’re unsure that the sender is genuine.
Take care on phone calls
Don’t share your personal information until you are certain about who you’re sharing it with. If someone calls you and claims to be from an organisation or agency, you can hang up and call the organisation or agency back using publicly available contact details from their website or the phone book.
Take care of yourself
If your physical safety is at risk, contact the police. If your mental health and safety is at risk, contact your doctor or a support service or your family or friends.
If you have any questions about financial information (such as your credit card details or online banking sign in) that a data breach notification doesn’t answer, contact your financial institution using the contact details on their website or in the phone book.
Change your passwords
Change your online banking account passwords. Use a strong password that you’ve not used for other accounts. Also, change your banking PIN number.
When updating your internet banking passwords, go to the financial institution’s website directly by typing their web address into your web browser. Generally, a financial institution won’t ask you in an email to click on a link to update your password.
You might also consider enabling multi-factor authentication for your accounts if it’s available. Multi-factor authentication asks you to confirm your identity with two or more pieces of evidence such as a password and a security code sent to your mobile phone. Using multi-factor authentication makes it more difficult for someone to gain access to your online accounts.
For more information about creating strong passwords and multi-factor authentication, visit cyber.gov.au.
Check your account statements
Monitor your account transactions online or using paper account statements if you receive them. If you spot any purchases you didn’t make, report these immediately to your financial institution.
Check your credit report
Credit reporting bodies may hold different information about you, so you may need to request a copy of your credit report from all three credit reporting bodies.
If you suspect fraud, you can request a ban on your credit report. We recommend that you make the request to all three credit reporting bodies in case they maintain a consumer credit report on you.
If you have any questions about government-issued identity document information (such as your driver licence, Medicare card or passport), contact the agency that issued the identity document for advice.
Protect yourself from identity fraud.
If you have any questions about health information that a data breach notification doesn’t answer, contact your health service provider using the contact details on their website or in the phone book.
If you suffer distress, contact your doctor, a support service or your family or friends.
If you have any questions about sensitive information that a data breach notification doesn’t answer, contact the organisation or agency that sent the data breach notification.
If you experience distress, contact your doctor, a support service or your family or friends. If your physical safety is at risk, contact the police.
If you experience online harassment, racism or abuse, visit the Office of the eSafety Commissioner website for information on keeping safe online.
If you have any questions about your tax file number or other tax-related information that a data breach notification doesn’t answer, contact the Australian Taxation Office (ATO). The ATO can monitor any unusual or suspicious activity with your tax file number.
Protect yourself from identity fraud.
If you share your data under the Consumer Data Right (CDR) system, your accredited provider has additional obligations to detect, record and respond to any breaches relating to your CDR data.
If you have any questions about your CDR data that a data breach notification doesn’t answer, contact the data holder or accredited provider.
Download this resource in Easy English