I'm affected by a data breach. What should I do?
A data breach occurs when private information about an individual becomes compromised. The ways this process occurs vary. It can occur through a cyber attack from an outside organisation (usually with criminal intent), however it is more commonly found when human error exists, such as processing errors. On occasion it may be the result of malicious intent by an individual within an organisation.
In most cases organisations, including government agencies, must notify individuals affected by data breaches.
The notification must give you information about the data breach and recommend steps you can take to reduce the potential harm. You will be notified either via email, SMS or phone. If a data breach is likely to result in serious harm, the organisation must send you a notification that tells you:
- The agency/organisation's name and their contact details
- Details about the kinds of personal information involved in the breach
- A description of the data breach
- Recommendations for steps you can take in response to the breach.
If an organisation is unable to contact everyone they must put a notification on their website and promote the notification. They may do this via social media channels, news articles, or advertisements to bring attention to a data breach notification.
Sometimes an organisation is unaware there has been a data breach. If you think that a data breach may have affected your personal information and you have not been notified, you should contact the organisation immediately and let them know.
If they are aware that a breach has occurred and have not notified you, you can contact the Office of the Australian Information Commissioner (OAIC) https://www.oaic.gov.au/individuals/data-breach-guidance/receiving-data-breach-notifications to lodge a complaint.
The most important thing to do if you have received a notification that your information has been compromised, is to find out exactly what information has been compromised.
These details are not always evident from the notification. Furthermore, sometimes the notification contains incomplete or inaccurate information. This may be due to the nature of the breach, or sometimes because the notification is made before the full extent of the breach is fully known.
It can be very stressful when your information has been hacked. If you are at risk, contact the relevant authorities or health organisations as soon as you are able.