General
What to do after a data breach: steps to protect against scams
When organisations experience a data breach, details such as your email address, passwords, or financial information can end up in the wrong hands. This can open the door to identity theft and scams, making it important to act quickly and stay alert to protect yourself against scams and fraud.
In this guide, we take a look at why your personal information matters, how to check if you’ve been affected by a data breach, and what steps to take if you have. We also share tips to help you protect yourself against scams that can follow.
In this article:
- What is a data breach?
- Your personal information is valuable
- How to know if your data was exposed in a breach
- What to do if you've been impacted by a data breach
- Be alert for scams
What is a data breach?
A data breach happens when personal information is accessed, shared without permission or is lost - either by accident or because of a security breach.
Personal information includes details that identify you, such as your name, address, date of birth, signature, credit details, and photos.
Your personal information is valuable
Think of your personal information like a puzzle. Each piece alone might seem small, but when you join the pieces together it’s enough for a criminal to steal your identity. Scammers can use your personal information to access your bank account, take out loans and open new credit cards in your name. This can impact your credit rating.
Find out more about identity theft, including warning signs to look out for and where to go for help.
How to know if your data was exposed in a breach
There are several ways you might learn about a data breach. An organisation may contact you directly if your personal information is part of a data breach. You might also hear about it through the news, social media or ads.
In some cases, you may notice unusual activity in your personal accounts which could be a sign that your identity has been misused because of a breach you didn’t know about.
You can find details of known data breaches at the Have I Been Pwned website . Enter your email address and the site will tell you if it appears in any known data breaches. It may not be a comprehensive list, but it’s a useful way to uncover some breaches you may not have been aware of.
If you think you’ve been involved in a data breach but haven’t received any information, contact the organisation directly and ask them.
What to do if you've been impacted by a data breach
If your personal information has been exposed in a data breach, acting quickly can help reduce the impact of identity theft or fraud. There are several steps you can take to secure your accounts, protect your identity, and get support if you need it.
Check what information was exposed
When you’re notified directly about a data breach, the organisation should tell you what type of personal information was exposed and outline recommended actions to take in response. It’s also a good idea to check their website for updates or contact them directly if you have questions. Understanding what data was compromised is critical because different types of information carry different risks.
Take action
The action you take depends on the sensitivity of the information involved. For example, if only your email address was exposed, the risk is relatively low. However, you may notice an increase in phishing scams, particularly from scammers pretending to be from the organisation impacted by the breach.
If more sensitive details such as your driver licence, Medicare number, or financial information were compromised, the risk of identity theft or fraud is much higher. These details can be used to create accounts in your name, so it’s best to contact the relevant organisations or government services and follow their advice.
Visit Cyber.gov.au’s Have you been hacked? interactive tool for advice on steps you should take to secure your finances, accounts, and email depending on what has been stolen or leaked. Select the ‘My information has been stolen or leaked’ and follow the prompts.
Secure and monitor your accounts
Change your password for the account(s) that’s been breached, especially if you use the same password across other online accounts. Make sure your passwords are strong, and where possible, turn on multi factor authentication (MFA) for extra security.
Contact your bank, superannuation, and other key accounts to let them know your details have been compromised in a data breach. Ask them what you can do to place additional security on your accounts or cards.
Keep an eye on your accounts and statements for unusual activity or unauthorised transactions.
Seek help and advice
If you’ve been affected by a data breach, you don’t have to handle it alone. There are trusted organisations that can provide support and advice.
IDCARE is a free support service for people who are the victims of identity theft, hacking, scams and lost or stolen credentials. You can call them on 1800 595 160 or visit their website at idcare.org
You'll also find helpful information at the Office of the Australian Information Commissioner (OAIC) website including, how to respond to a data breach notification , what to do if your identity has been stolen , as well as how to access your credit report .
It's also recommended that you head to the Scamwatch website for alerts and news on the latest scams and how to protect yourself against them.
Be alert for scams
Scammers often take advantage of data breaches to trick people into sharing more personal information or money. They may convince you that they already have your information when they don’t.
Common scam tactics to watch out for
- Emails, texts, or calls asking you to reset your password or verify your identity.
- Callers claiming they need access to your device to secure it, fix it or investigate a problem (when there isn’t one). They’ll ask you to download a piece of software to enable them to access your device.
- Messages or calls that create a sense of urgency telling you things like your account will be locked or there’s unauthorised transactions on your account.
- Contact from organisations claiming they can help you get your money back if you have previously lost money to scammers.
It’s important to know that legitimate data breach notifications will never ask you to:
- Reply with your password or login details.
- Click on links to confirm your identity or reset your password.
Whenever you're asked to share your personal information, always ask yourself: what are they asking me to do? does it sound right? Don’t be afraid to ask questions or even hang up on a caller who is pressuring you to act quickly.
Useful resources
- Learn more about how you can avoid scams in our free course Identifying and avoiding scams.
- Learn about password managers, antivirus software and Virtual Private Networks (VPNs) in our free Advanced online security course.
- Find out ways to protect yourself online .
- Discover more tips about how to avoid identity theft.
- Read our article on how to stop unwanted or nuisance calls.
This article was originally published on 21 October, 2022.