Data breaches happen on a frequent basis, sometimes they are high profile, sometimes they are not.
A data breach is when data is inadvertently shared with or maliciously accessed by an unauthorised person or third-party. This can be by accident or because of a security breach.
Individuals, small businesses, large organisations and government are all at risk of data breaches. A breach can affect anyone who has provided personal information and anyone who has collected and stored it.
You may hear about a data breach directly from an affected organisation, or read about a breach in the media. Under the Notifiable Data Breaches scheme, you must be told if a data breach is likely to cause you serious harm.
Office of the Australian Information Commissioner Data breaches page for more information, and to find out what to do if you are told about a data breach.
Lastly, sometimes organisations may have had data breaches in the past but not become aware of the breach until later on. During this time, your details may be compromised without your knowledge. This is why it is important that individuals stay vigilant to the signs their personal information has been compromised.
What to do if you have been impacted by a data breach.
The advice for individuals that may have been impacted is to contact their local, Service Centres, Road Agencies or Government Agency or visit their websites (see below) for further information and guidance.
If you been a victim of a data breach from an organisation, the following information will assist you to help get your life back on track. More information is available from:
State Service Centres:
Your passport | Australian Passport Office (passports.gov.au)
If you have any questions with regards to the DVS aspect of a cyberattack please contact DVS.Manager@ag.gov.au.
You should also:
If you are concerned that your identity has been compromised or you have been a victim of a scam, contact your bank immediately and call IDCARE on 1800 595 160. If your identity has been stolen, you can apply for a Commonwealth Victims' Certificate. If you believe you are victim of a cybercrime, go to ReportCyber.
The Government is looking at all possible solutions to protect and reissue victims' identity documents.
The Attorney General's Department has established a Commonwealth Credential Protection Register to help stop compromised identities from being used fraudulently. As the companies impacted provides data, issuing agencies will assess and determine whether to add credentials to the register. As at 14 October 2022, the register includes around 100,000 Australian Passports. These passports can still be used for international travel. The Department of Home Affairs is working with federal and state government agencies to upload compromised credentials to the register, with a focus on Australian and New Zealand passports and Australian drivers licences.
The Australian Federal Police (AFP) has launched Operations to investigate the criminal aspects of the breaches. The AFP has also launched Operation GUARDIAN, under the AFP led JPC3, a joint partnership with law enforcement, the private sector and industry to combat cybercrime. Operation GUARDIAN is focused on shielding affected customers, where they can be identified, and working with industry to enhance protections for members of the public. The AFP is also monitoring online forums, including the internet and dark web, for criminals trying to exploit the breached data. The AFP will not hesitate to take action against those who are breaking the law.
The Attorney General's Department is working with Commonwealth, state and territory agencies to minimise the potential for exposed documents to be used fraudulently. If your Medicare card details have been exposed, Services Australia will allow you to replace your Medicare card for free. If you believe there has been unauthorised activity to any of your Services Australia accounts, contact their Scams and Identity Theft Help Desk.
Passports are still safe to use for international travel. However, the Government understands impacted customers may be concerned about identity theft relating to their passports. Customers who choose to replace their passports can call the Australian Passport Office where staff are ready to assist. More information can be found at the Australian Passport Office.
The Credential Protection Register (CPR) stops the verification of known compromised credentials (i.e. credentials which have been subjected to a data breach) through the Document Verification Service (DVS), meaning they cannot be used for fraudulent identity verification purposes. However, this means rightful owners will not be able to use them online. New credentials issued following the data breach will work as normal. In the interim, impacted individuals should consider using alternative credentials or speak to service providers that ask for identification for other options, such as visiting the service in person to present the credential.
Prior to the establishment of the Commonwealth Credential Protection Register, compromised credentials would successfully verify through the Document Verification Service as real and valid identity documents belonging to real people.
The Attorney General's Department will continue to work with key stakehol ders to refine the Credential Protection Register to ensure it provides a longstanding identity recovery and resilience mechanism for all Australians.
If you have recently had your identity credentials (i.e. Australian passport or drivers licence) compromised in a data breach, the details of your compromised credential may be uploaded to the Credential Protection Register. The inclusion of your compromised credential on the register is automatically done by the organisation that issues the credential based on your risk profile. You are not required to take any action.
You should consult with the credential issuer regarding if the credential should be replaced, until this occurs your credential will continue to function for the purpose it was issued e.g. allow you to drive a car or travel internationally but will not function for the purpose of confirming your identity.
Once your compromised credential has been replaced the details of your old credential will remain on the Credential Protection Register to ensure it cannot be used for future fraudulent verification purposes. Leaving your compromised credential on the register will have no impact on your ability to verify your new identity document.
When you access government services, apply for a bank loan or receive a medical benefit, organisations may ask you for proof of identity. This is because organisations need to make sure they are helping legitimate customers, and not someone attempting to commit identity crime.
Identity crime [PDF] is one of the most prevalent crimes in Australia. One in four Australians will be a victim of identity crime at some point in their lives. The Identity Matching Services are designed to better protect you from identity crime and save the Australian community a substantial amount of time and money.
The Identity Matching Services can check whether your identity document is valid, with your consent. They can also help you to reclaim your lost or stolen identification documents faster, without the need to re-establish your identity.
By providing organisations with the means to verify your identity documents, more government services can be provided completely online, while significantly reducing the risk of identity crime.
Match results can show if your identity information matches the information that the document issuing organisation has on record.
In most cases, match results will return simply a ‘yes’ or ‘no’ answer to verify a record. In more limited cases a government agency may also request additional information, such as your name or photo. This may only happen where the agency has a legal authority to collect this information.
A match result can’t be the sole deciding factor for the organisation when they decide if they will supply you with a benefit or service. In other words, the Identity Matching Services do not make decisions about your identity - that responsibility rests with the user organisation, taking into account all the available information at their disposal.
Each government agency that issues your identity documents has its own secure system to store and protect the original record. In most cases, the Identity Matching Services access information direct from these systems.
In the case of driver licence information, the DVS hub checks your information with the
National Exchange of Vehicle and Driver Information System (NEVDIS). NEVDIS is operated by Austroads Ltd on behalf of driver licencing authorities.
Facial images on driver licences will over time be provided by driver licencing authorities and stored in a system called the National Driver Licence Facial Recognition Solution (NDLFRS), hosted on behalf of the states and territories by the Attorney General's Department.
A list of information shared by the Identity Matching Services is available in our Privacy Statement.
In rare cases, your valid identity information may fail to match with the original record. This might be because:
If this is the case, contact the organisation that performed the check. They can:
If you are not satisfied with their response, you can contact the DVS Manager by email at
Law enforcement and anti-corruption agencies in Australia can use Face Identification Service (FIS) without your consent only as part protective security.
The FIS cannot be used for mass surveillance or for investigating offences such as jaywalking or littering.