ato logo
Search Suggestion:

Data breach guidance for tax professionals

If a data breach occurs, we may put safeguards in place to protect information that belongs to you and your clients.

Last updated 12 November 2024

How data breaches can happen

A data breach occurs when confidential taxpayer information has been accessed by an unauthorised third party.

Tax professionals hold a large amount of client, staff and business information, which makes them a growing target for identity thieves.

Tax professionals who experience a data breach may discover their clients' identities have been stolen and refund fraud has been committed in the clients' names.

Examples of data breaches include, but are not limited to:

  • unauthorised removal of computers, data, or records in both paper and digital formats
  • people with legitimate access to the data using it for fraudulent activities
  • accessing taxpayer files using a fraudulently obtained credential, such as myID
  • criminals exploiting vulnerabilities in your IT security controls, hacking or phishing for information
  • accidental disclosure of information, for example, records emailed to an unauthorised third party or hard copies left in a public place
  • payroll information for your employees being unlawfully accessed
  • unauthorised access to cloud-based services you use to store information.

How to prepare for a data breach

A data breach response plan is crucial for tax professionals to have in place. It should step out the roles and responsibilities that need to be actioned in the event of a data breach.

The Office of the Australian Information Commissioner (OAIC)External Link provides guidance on how to create a strong data breach response plan. For example, it should include:

  • clear escalation procedures and reporting lines for suspected breaches
  • processes that outline when and how affected individuals are notified
  • a record-keeping policy to ensure breaches are documented
  • strategies to identify and address any data handling weaknesses that could have contributed to the breach

You should regularly review and test your plan to ensure it is current and addresses the requirements outlined by the OAIC.

Educating yourself and your employees on potential red flags of a data breach can help you quickly identify and implement your response plan. Indicators include:

  • lodgments being made on client accounts that you did not action
  • noticing changes to files and document that were not made by you such as updates to your clients' details
  • not being able to log in to your online accounts or noticing unusual activity such as account verification emails being deleted
  • your devices behaving differently such as glitching or running abnormally slow.

Further information on detecting data breaches and cyber incidents is available from the Australian Cyber Security CentreExternal Link.

What to do after a data breach

Tax professionals should report data breaches to us to make sure protective measures can be placed on client accounts.

If you have experienced a breach we recommend the following actions:

  • Phone our Client Identity Support Centre as soon as possible on 1800 467 033 Monday to Friday, 8:00 am–6:00 pm AEST so that we can apply measures to protect your business, staff and clients.
  • Review the Office of the Australian Information Commissioner's (OAIC) information about notifiable data breachesExternal Link to make sure you comply with your obligations under the Privacy Act 1988, including the Notifiable Data Breaches (NDB) scheme – review the Tax Practitioners Board (TPB) information on how the NDBS can impact your TPB registrationExternal Link.
  • Tell affected clients and staff about the data breach. We may also contact your clients or staff directly.
  • Contact your software provider, especially if you suspect the breach originated in one of their service offerings.
  • Consider what information was accessed during the breach and take steps to safeguard this where necessary. For example, you may need to report inappropriate access to your myID.
  • Take steps to secure the information in your business by updating all security software and controls.
  • Review systems access and remove it for people who no longer need it.
  • Continue to follow security best practicesExternal Link and reinforce these practices with your staff to reduce the risk in your business.

If you or your clients are concerned about the security of other personal information and the wider impact of identity theft, we recommend you speak with IDCAREExternal Link on 1800 595 160. IDCARE provide free advice and confidential support to victims of data breaches and identity theft.

Start of example

Case study 1: Stolen equipment

A tax agent reported to us that a laptop and documents were stolen from their car. The items contained confidential information, including business credentials and records for individual and business entities managed by the tax agent.

It was later confirmed that the tax agent's identity had been stolen and used to lodge fraudulent PAYG summaries on their clients’ accounts.

We applied protective measures to the client, entity and employee accounts relating to the affected tax agent's business.

Reports of stolen equipment and data used for business occur regularly. There are a number of ways in which the data you hold on behalf of your clients, employees and business can be stolen, such as:

  • dumpster diving
  • letterbox theft
  • paper or electronic files left unattended
  • cards stolen from wallets
  • stolen briefcases or laptops.

To keep your client and business information safe:

  • do not leave your information unattended
  • make sure you keep your electronic devices secure
  • make sure client and staff data is securely stored at the end of each day
  • apply multi-factor authentication to all devices used for your business.
End of example

 

Start of example

Case study 2: Ransomware

A tax agent reported an incident in which they received an authentic looking email from a large Australian business requesting information. The agent clicked a link in the email, which released a 'crypto virus' that locked their computer systems. Fortunately, their IT specialist was able to recover their systems, but the security of their data was put at risk.

The tax agent has since:

  • added additional measures to protect their systems and data holdings from future attacks
  • provided training to all staff on how to check for spoofing in emails.

We asked the agent to provide the names of potentially compromised clients and applied protective measures to their accounts, including entity and employee accounts.

There are many variations of ransomware that can affect business systems and data in different ways. At the time of ransomware attacks it’s impossible to know precisely what a virus will do.

Some ransomware spreads into computer systems and silently steals information. Other ransomware is used to extort money from businesses by locking their computer files using an unbreakable code that only the criminal knows. If you pay the ransom money, the fraudsters may unlock your systems and release the data, but you could be targeted again.

Staff education is critical. If you receive a suspected phishing scam email, do not:

  • click on any links
  • open any attachments
  • download any files
  • install any applications.

Make sure your data is secure by backing it up regularly. Consider using off-site data storage options to effectively back-up your data.

End of example

How we protect clients affected by a data breach

We protect the privacy of client records by our proof of record ownership processes. If a data breach occurs within your practice, we may implement a range of additional safeguards.

Understanding what treatments we may apply to protect your clients will help you support them.

Treatment options can include one or more of the following, depending on the severity of the breach and any resulting fraud attempts:

Additional proof of identity

We may issue an alert to our staff requiring them to seek additional proof of record ownership from your client.

The requirement will apply when your client interacts with us. The alert prompts our staff to ask additional questions when validating your client’s identity. This alert does not:

  • prevent you from dealing with us on behalf of your client
  • change how we will identify you.

Asking questions only the genuine client will know assures us we are dealing with the actual client, and not an unauthorised third party.

Your client may also choose to have a secret password created on their ATO record. Secret passwords validate a client’s identity when they deal with us.

The client can create their secret password with our staff over the phone. However, if we are unable to establish proof of identity, we may request your client visit a shopfront with proof-of-identity documentation. They can also complete a tax file number enquiry form on the Australia PostExternal Link website.

Additional monitoring processes

We will continue to monitor your client’s ATO records. If we identify any irregular activity, we may contact you or your client to make sure the activity is legitimate. This may delay processing of tax returns and other forms.

Additional security measures

Depending on your client’s circumstances, we may also apply additional security measures within our systems.

If we apply these measures:

  • your client may not be able to use our online services or myGovExternal Link
  • pre-fill data may not be available
  • we may prevent business activity statements from issuing automatically. You or your client will need to contact us before each lodgment so we can generate these statements.
  • we may need to make extra checks for tax returns and other forms that could delay processing.

Appointment of a data breach manager

In some cases, we may assign a data breach manager who will assist you in the management of data breaches within your practice. They can provide support to reduce the impact on your practice and clients.

Inappropriate access to myID

myID uses encryption and cryptographic technology and the security features in your device, such as fingerprint or face, to protect your identity.

If you are aware or suspect someone has inappropriately accessed your personal information in myID, you need to report this immediately.

Contact the myID support line on 1300 287 539 (select option 2) between 8:00 am and 6:00 pm AEST, Monday to Friday.

International callers can contact us by phoning our switchboard on +61 2 6216 1111 between 8:00 am to 5:00 pm AEST, Monday to Friday, and request your call be transferred to the myID support line.

For more information and tips about staying safe online, see myID securityExternal Link.

To help protect your business from a data breach, make sure you:

QC54173