Resource ● Last updated 23 April 2026 ● 15 min read
How to keep safe after a data breach
In this article
Print & save
Share
Note:
This resource focuses on your rights under the Privacy Act 1988 (Cth) — Australia’s federal privacy law. This law generally applies to: Commonwealth government agencies; most private sector organisations with annual turnover above $3 million; private health service providers (regardless of size); and credit reporting bodies.
If your situation involves a State or Territory government agency (for example, a state public hospital, state school, local council, or state police), different privacy laws apply.
Is this resource for me?
This resource is for you if:
- You have been notified that your personal information was exposed in a data breach.
- You are worried about what could happen because of a data breach to an organisation or government agency.
- You want to know what steps to take to protect yourself and your legal rights.
What will I learn?
By the end of this resource, you’ll know how to:
- Understand what was exposed, and what type of information matters most.
- Assess what risks could arise because of the data breach.
- Take protective action and follow immediate steps to reduce harm.
- Understand your legal rights and when to take legal action.
PART 1: Test your knowledge
PART 2: What is a data breach?
A data breach happens when personal information held by an organisation is lost or accessed or disclosed without permission. It is not your fault – organisations have a legal duty to take reasonable steps to protect your information, but there are also steps you can take to protect yourself.
If the organisation is covered by Australian privacy law, it has to notify you and the Office of the Australian Information Commissioner (OAIC) when there’s a serious data breach that is likely to cause you serious harm.
A serious (also known as an ‘eligible’ or ‘notifiable’) data breach is when:
- your personal information is accessed, shared, or lost without permission
- this is likely to cause serious harm to one or more individuals – for example through identity theft, money loss, physical risk, or serious emotional distress, and
- the organisation cannot fix the problem in time to remove that risk of serious harm.
What is “serious harm”?:
Serious harm means more than just worry or inconvenience. It includes things like identity theft, financial loss, damage to your credit report, physical safety risks, or serious emotional or psychological harm (for example, ongoing fear, distress, or shame) that might reasonably happen because of the breach. “Serious harm” is assessed from the perspective of a reasonable person in the organisation’s position, not the individual’s subjective experience.
Common causes of data breaches:
- Hacking or cyber-attacks on the organisation’s systems
- Employee error or misconduct — such as emailing records to the wrong person
- Accidental loss — such as a lost laptop, USB drive, or paper files
- Weak security systems or software vulnerabilities
- Third-party vendor breaches — where a supplier’s system is compromised
Dealing with a data breach can be stressful. It’s normal to feel worried or unsure where to start. This resource will help you take it one step at a time — and there are free services to support you.
PART 3: What information puts you at risk?
Use this risk assessment to understand your level of exposure.
If you receive a breach notification that tells you any of the following have been exposed, act immediately.
- Driver’s licence number
- Passport number
- Medicare number
- Tax file number
- Health or medical information
- Full credit card details (with expiry and CVC)
- Biometric data (fingerprints, facial profile)
- Home address or contact information (if you are in a vulnerable situation)
What to do if your highest risk data has been exposed:
- Contact your bank immediately and ask about protective measures.
- Place a ban (also called a credit freeze) on your credit file with each credit reporting body (for example, Equifax and Experian).
- Report to ReportCyber and contact IDCARE (1800 595 160).
- If health or disability information was exposed, consider seeking legal advice.
If you receive a breach notification that tells you any of the following have been exposed, monitor closely and take precautions.
- Full name and date of birth
- Bank account or superannuation details (without password)
- Home address or contact details
- Electronic signature
What to do if your medium risk data has been exposed:
- Change passwords and enable multi-factor authentication for key accounts.
- Monitor your bank and credit accounts for unusual activity.
- Request your credit report and check for entries you do not recognise.
If you receive a breach notification that tells you any of the following have been exposed, stay alert and watch for unusual activity.
- Username (without password)
- Email address (without password)
- Employment contact information
- Public profile information
What to do if your lower risk data has been exposed:
- Watch for phishing emails using your name or workplace details
- Update passwords to use unique passwords for each account
PART 4: Your legal rights after a data breach
Australian law gives you important protections:
Organisations that collect and hold your personal information must take reasonable steps to protect it from misuse, interference, loss, unauthorised access, modification, or disclosure (Privacy Act 1988 (Cth), Australian Privacy Principles).
How to use this right:
If you believe an organisation did not take reasonable security measures, make a complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
If a data breach is likely to cause you serious harm and the organisation covered by the Privacy Act cannot prevent that harm, it must notify you and the Office of the Australian Information Commissioner (OAIC) as soon as possible. Not all organisations are covered by this rule. The Notifiable Data Breaches scheme only covers certain serious breaches (called ‘eligible data breaches’). The organisation must assess whether the breach is likely to cause serious harm before it has to notify you and the OAIC.
How to use this right:
If the breach was serious and you were not notified, make a complaint to the organisation first, then to the OAIC if unresolved.
You have the right to complain to the OAIC if you believe your privacy has been breached. The OAIC can investigate and may require the organisation to take steps to fix the problem, apologise, or pay you compensation. In serious cases, the OAIC can also issue formal notices and apply to court for significant financial penalties against the organisation.
How to use this right:
Lodge a privacy complaint online at oaic.gov.au. Keep records of all correspondence.
If your financial information is misused, you can dispute unauthorised transactions with your bank. If your bank follows the ePayments Code or the Banking Code of Practice, you may be entitled to a refund depending on what happened. Ask your bank how these rules apply to you. You can request corrections to your credit report and ask credit reporting bodies (Equifax and Experian) to place a ban on your file to prevent further fraud.
How to use this right:
Contact your bank and credit reporting bodies as soon as you notice suspicious activity. If the bank does not resolve your complaint, escalate to the Australian Financial Complaints Authority (AFCA) at 1800 931 678.
Under the Australian Consumer Law, organisations must not mislead you about the security of your data or the steps they take to protect it. If an organisation made representations about security that turned out to be false, you may have a consumer law claim.
How to use this right:
Make a complaint to the organisation. If unresolved, contact the Australian Competition and Consumer Commission (ACCC) or your state consumer affairs agency. You may also be able to take your complaint to a consumer tribunal.
If a data breach has caused you financial loss or significant distress, and the organisation didn’t take reasonable steps to protect your data, you may be able to seek compensation. The OAIC can make recommendations or determinations about compensation after an investigation. You can also seek legal advice about other options, such as court claims. Success is not guaranteed and depends on your individual circumstances.
How to use this right:
Seek legal advice to determine the best pathway.
PART 5: What to do if you’ve been impacted by a data breach
What to do immediately
1. Find out exactly what was exposed
Read the data breach notification carefully. Note exactly what information was affected. If unclear, contact the organisation and ask specifically, in writing, what information was involved and when.
2. Change your passwords immediately
Change the password for any affected accounts and for any other accounts using the same password. Use strong, unique passwords (12+ characters, mix of letters, numbers, symbols). Enable multi-factor authentication where available.
3. Monitor your accounts closely
Check your bank and credit card statements for unauthorised transactions. Watch for suspicious activity in your email, government, and phone accounts over the coming weeks.
4. Place a credit ban
Contact credit reporting bodies — Equifax (13 8332) and Experian (1300 783 684) — to request your credit report and place a ban or freeze on your credit file. Review for accounts or inquiries you don’t recognise.
5. Document everything
Save communications from the organisation about the breach. Record what you have done to protect yourself (dates, times, actions taken). Save evidence of any suspicious activity or losses. This documentation will be important if you pursue a legal claim.
What to do if you’ve experienced identity theft or fraud
1. Call your bank
Call your bank to dispute fraudulent transactions.
2. Call IDCARE
Contact IDCARE (1800 595 160) for free identity theft support.
3. Report the identity theft or fraud
Report to police or ReportCyber.
4. Consider legal action
Consider seeking legal advice if you suffer loss or ongoing harm.
What to do if you want to explore legal action
1. Gather evidence
Collect all records, correspondence, and proof of loss.
2. Make a complaint
Complain to the OAIC or relevant regulator.
3. Seek legal advice
You can apply for free legal help from Justice Connect.
PART 6: What legal remedies are available?
If your personal information has been exposed in a data breach, you may be entitled to a range of legal remedies. These options are designed to help you recover losses, correct records, hold organisations accountable, and prevent further harm.
Note:
Most government agencies and medium‑to‑large organisations must follow federal or state privacy laws. Very small businesses and some organisations may not be covered by the Australian Privacy Act, but many still follow similar privacy standards. Complaints to regulators like the OAIC focus on getting the organisation to fix problems and sometimes pay compensation. Court cases (like negligence or the new privacy tort) are separate and generally need legal advice.
Most people start by complaining to the organisation directly. Regulator complaints (e.g. OAIC, ACCC) typically follow when the organisation has not responded appropriately.
Legal claims for negligence, breach of contract, or under the privacy tort are complex and usually require legal advice. Success is not guaranteed.
What it covers
Any harm caused by the breach, such as financial loss, stress, inconvenience, or risk of identity theft.
What to do
Contact the organisation in writing (email or letter).
- Explain the impact of the breach and request specific remedies — e.g. reimbursement, correction of records, additional security.
- Keep a record of all correspondence and ask for a written response.
- Give the organisation up to 30 days to respond to your complaint.
- If unsatisfied, escalate to the relevant regulator or ombudsman.
What this may achieve
- A formal apology or commitment to improve security practices.
- Direct resolution and reimbursement of out-of-pocket costs.
What it covers
Privacy breaches by private sector organisations and Commonwealth government agencies under the Privacy Act 1988 (Cth).
Failures to take reasonable security measures, notify you of a serious breach, or respond appropriately.
What to do
- Lodge a privacy complaint at oaic.gov.au.
- Provide details of the breach, how it affected you, and steps you have already taken.
- The OAIC will assess your complaint, may investigate, and may require the organisation to act or pay compensation.
- OAIC complaints must generally be lodged within 12 months of becoming aware of the privacy interference.
What this may achieve
- Correction of records and improved security practices.
- Potential financial compensation. Compensation is not guaranteed and depends on the specifics of your case.
- Public findings or enforcement action to prevent future breaches.
What it covers
Unauthorised transactions, fraudulent accounts, or misuse of your financial information as a result of the breach.
What to do
- Contact your bank immediately to dispute transactions under the ePayments Code and Banking Code of Practice.
- Ask credit reporting bodies (Equifax and Experian) to place a ban and correct fraudulent listings.
- If the bank does not resolve your complaint, escalate to the Australian Financial Complaints Authority (AFCA).
What this may achieve
- Reversal of unauthorised transactions and reimbursement of losses.
- Removal of fraudulent debts or accounts from your credit report.
- Improved account security — e.g. new cards, passwords, or additional verification.
What it covers
If the organisation misled you about the security of your data, or failed to provide services with due care and skill.
What to do
- Make a complaint to the organisation citing your rights under the Australian Consumer Law.
- If unresolved, contact the Australian Competition and Consumer Commission (ACCC) or your State/Territory consumer protection agency.
- You may also be able to take your complaint to a consumer tribunal.
What this may achieve
- Compensation for losses and correction of misleading statements.
- Orders to improve security or provide additional support.
- Enforcement action against the organisation for systemic failures.
Note: Consumer law claims for data breach harm can be complex. They work best where an organisation made specific representations about security that proved false. Seek legal advice before pursuing this pathway.
What it covers
Losses suffered because the organisation failed to take reasonable care to protect your data, causing foreseeable harm — e.g. identity theft, financial loss, or emotional distress.
How to use it
- Seek legal advice to assess whether the organisation owed you a duty of care, breached it, and caused you loss.
- You must prove the breach caused actual loss and that the loss was reasonably foreseeable.
- Claims are usually made in court and can be complex and costly.
What this may achieve
- Compensation for proven financial loss, costs of protective measures, and sometimes emotional distress.
- Note: These claims are uncommon for data breaches and success is not guaranteed.
What it covers
Serious invasions of privacy causing harm.
What to do
- Seek legal advice to determine if your case qualifies.
- Show the organisation acted with intentional or reckless disregard for your privacy.
- Show the breach was serious, you had a reasonable expectation of privacy, and the public interest in protecting your privacy outweighed other interests.
- Important: You must start a claim within one year of becoming aware of the privacy invasion, and no more than three years after it occurred (whichever is earlier). In exceptional circumstances, the court may extend the time within which you may commence proceedings, but no later than six years after the invasion of privacy occurred. You should seek legal advice promptly.
What this may achieve
- Damages for economic and emotional harm.
- Possible court orders to stop further misuse.
- Public recognition of the harm and deterrence of future conduct.
- Note: This law came into force on 10 June 2025. It may apply if an organisation deliberately or recklessly misused your private information. Most data breaches caused by system failures or hacking may not meet the required standard, but you should seek legal advice if you think this applies to your situation.
What it covers
If the organisation promised specific data security measures in a contract (e.g. terms and conditions) and failed to deliver.
What to do
- Review the organisation’s privacy policy or your contract for specific security promises.
- Seek legal advice to determine if you have a claim.
- Claims are usually made in court or a tribunal.
What this may achieve
- Compensation for losses directly resulting from the breach of contract.
- Termination of the contract.
- Orders requiring the organisation to comply with its contractual obligations.
What it covers
If the breach led to discrimination (e.g. based on health, disability, race), increased family violence risk, or affected your employment or housing.
What to do
- Seek legal advice to determine if you have a claim.
- You may be able to complain to the Australian Human Rights Commission, Fair Work Ombudsman, or relevant tribunal.
- In family violence cases, you may be eligible for protection orders or additional support.
What this may achieve
- Protection orders, compensation, or other remedies specific to your situation.
- Correction of records or reinstatement of employment or housing.
What it covers
If someone used your data to commit fraud, identity theft, or other crimes.
What to do
- Report to ReportCyber or your local police station.
- Provide all evidence of the breach and resulting harm.
What this may achieve
- Investigation or prosecution of the offender.
- A police or ReportCyber reference number that banks, credit bodies, and insurers may ask for when assessing your case.
- Deterrence of future criminal conduct.
QUIZ: What are the legal remedies for a data breach?
PART 7: Understanding the role of evidence in data breaches
What to keep as evidence
If you are considering legal action, making a complaint, or seeking compensation after a data breach, it is essential to keep thorough records. A well-organised evidence file will help you prove what happened, the impact on you, and the steps you took to protect yourself.
- Timeline of events (dates, times, actions taken).
- Original breach notification letter or email from the organisation.
- Written details of what information was exposed and when (e.g. name, address, date of birth, financial details, health information, government ID numbers).
- Bank and credit card statements showing any suspicious transactions.
- Documentation of any financial losses suffered, including the costs of protective measures (such as replacing ID documents or legal fees).
- Credit impact – note your credit score before and after the breach (if available) and keep records of any denied credit applications or new credit enquiries you did not make.
- All correspondence with the organisation about the breach. Note the date, time, and name of the person you spoke to.
- Screenshots of any suspicious account activity or fraudulent accounts.
- Protective actions taken: keep evidence of steps you took to protect yourself, such as credit ban confirmations, password change records, fraud alerts, and police or ReportCyber reference numbers.
- If sensitive information was involved, keep records of any emotional distress, medical appointments, or counselling related to the breach.
- Credit ban confirmations from each credit reporting body.
- Log of time spent dealing with the breach consequences.
Golden rules for evidence
- Keep the original version of every document wherever possible.
- Make multiple copies and store them safely (ideally both electronic and physical copies).
- Label documents clearly as originals or copies.
- Do NOT edit electronic files unnecessarily, this can change its metadata, which is a form of evidence.
- Update your evidence file regularly as new developments occur.
- If gathering evidence for a legal claim, seek legal advice about what to collect and how. Bring your evidence file to any meetings with lawyers, regulators, or support services.
Key takeaways
Act quickly
Change passwords and monitor accounts as soon as you are notified of a breach.
Understand what was exposed
The more sensitive the information, the higher your risk, and the stronger your potential claim.
Know your legal rights
Organisations must protect your data. You have real options, from complaints to regulators to compensation claims.
Recognise connections
Data breaches can affect family violence, employment, and discrimination matters. Seek specialist support if this applies to you.
Document as much as you can
Keep records of notifications, actions taken, and suspicious activity. This is your evidence.
Get support
IDCARE, community legal centres, and Justice Connect all provide free support. You do not need to handle this alone.
Key contacts
- IDCARE: 1800 595 160 | idcare.org — Free identity and cyber support
- OAIC: 1300 363 992 | oaic.gov.au — Privacy complaints and investigations
- ReportCyber: cyber.gov.au — Report cybercrime and harassment online
- AFCA: 1800 931 678 | afca.org.au — Financial services complaints
- ACCC: 1300 302 502 | accc.gov.au — Consumer law protections
- Equifax:13 8332 | mycreditfile.com.au — Credit report and ban
- Experian: 1300 783 684 | experian.com.au — Credit report and ban
- Justice Connect: justiceconnect.org.au — Free legal advice for eligible Australians
Justice Connect is grateful to Telstra for their generous support to create this resource. Learn more about Telstra’s work building Australians’ digital skills and confidence so they can take part in the online world.
This resource was last updated on 23 April 2026. This is legal information only and does not constitute legal advice. You should always contact a lawyer for advice specific to your situation. Please view our disclaimer for more information.
More self-help resources
Do you need legal help?
You might be eligible for free legal help from our lawyers. Making an online application is the quickest and best way to apply for free legal help.
