Your Data Was in a Breach — Here Is Exactly What to Do

The Optus, Medibank, Latitude, and dozens of smaller Australian data breaches in recent years have exposed the personal data of tens of millions of Australians. Receiving a breach notification is alarming, but there are clear, practical steps you can take to protect yourself. Acting quickly matters — stolen data is often exploited within days of a breach.

Step 1: Understand What Was Exposed

Read the breach notification carefully to determine exactly what categories of information were exposed. Email and password exposure means you need to change passwords on accounts using those credentials immediately. Driver's licence or passport number exposure creates identity theft risk and may warrant replacement documents. Medicare or health fund number exposure requires monitoring for fraudulent claims. Credit card details require immediate card cancellation and replacement — contact your bank.

Step 2: Change Your Password Immediately

Change the password on the breached account immediately. More importantly, if you used the same password on any other accounts, change it on those accounts too. This is credential stuffing — criminals automatically test stolen username and password combinations across hundreds of major websites. Unique passwords for every account, managed through a password manager, prevent credential stuffing from being effective.

Step 3: Enable Multi-Factor Authentication

On the breached account and on any other important accounts, enable multi-factor authentication. Even if a criminal has your email and password, MFA prevents them from accessing the account without also having your phone. For accounts where the breach exposed your password, enabling MFA should happen immediately after changing the password.

Step 4: Monitor Your Credit File

If the breach exposed your identity documents — driver's licence, passport, Medicare number, or TFN — place a credit monitoring alert on your credit file. You are entitled to a free credit report from Equifax, Experian, and illion. Check for any credit enquiries or accounts you do not recognise. Consider placing a temporary credit ban, which prevents new credit being issued in your name without additional verification.

Step 5: Contact IDCARE

If you believe your identity may be at risk of misuse, contact IDCARE — Australia's national identity and cyber support service — at idcare.org or on 1800 595 160. IDCARE provides free, specialist advice on responding to identity theft and data breaches. They can help you develop a personalised response plan based on what was exposed. Report the breach to Scamwatch if you have been directly scammed as a result. And monitor your accounts and email closely for several months following any significant data breach.

The Long Tail of Data Breach Impact

Data breach impacts do not end when the immediate steps are complete. Stolen data circulates on criminal markets for years, and targeted fraud attempts may come months or years after the original breach. Maintain ongoing vigilance: continue monitoring your credit file quarterly, watch for phishing emails that reference your specific details (a sign that personalised data is being used), and review your financial account statements regularly. The OAIC has resources to help breach victims understand their ongoing rights and options.

When the Business That Was Breached Is at Fault

If you have suffered financial loss as a direct result of a data breach — and the organisation responsible did not have adequate security controls in place — you may have grounds for a privacy complaint to the OAIC or a legal claim for damages. The OAIC can investigate whether the organisation complied with the Privacy Act. For larger losses, legal advice may be worthwhile. Several class actions have been filed following major Australian data breaches. IntrusionX provides security consulting for businesses seeking to prevent breaches and understand their legal obligations — contact us for a consultation.