Skip to content   Skip to footer navigation 

What to do if you've been caught in a data breach

Scammers and hackers can use your information to steal from, impersonate and defraud you or your loved ones.

laptop and smartphone with security shield on screen
Last updated: 23 December 2022


Checked for accuracy by our qualified fact-checkers and verifiers. Find out more about fact-checking at CHOICE.

Need to know

  • If you've been caught up in a data breach, stay calm but act quickly
  • Some breaches are minor and low-risk, but others can be extremely serious
  • You can't eliminate risk entirely, but there are steps you can take to increase your online security

Data breaches can mean a serious security threat to you and sometimes those around you.

If you find out you've been part of a breach, act quickly. Depending on the nature of the breach, you'll need to follow certain steps.

If the stolen data only includes simple information such as your username and password for an unimportant account, that's possibly a quick fix. For some other contact information such as your phone number, you'll also need to be wary of scams.

But if the breach includes financial or medical information, official documents or ID, account login details you use for multiple services, or a large amount of personal information, you might need to clear your schedule for the next hour or more and stay vigilant for the foreseeable future.

Tips for creating new passwords and PINs

Change the password for the affected account immediately. If you use that password (or a similar one) for any other accounts, they also need to be changed right away and you should add those accounts to your list of potentially compromised data.

Some priority password changes include financial accounts, email, insurance, health and government services, but use your own judgement to think of others you might have. Social media accounts are also a juicy target for hackers because they give access to a lot of personal information, as well as allowing direct communication with your friends.

If a password change triggers a prompt to sign out of that account on all your other devices, say yes.

Dos and don'ts for passwords and PINs

  • Never use the same (or similar) password or PIN for more than one service. This is a huge security risk.
  • Don't use a single dictionary word (e.g. "Cardboard1") as a password. Two unrelated words ("CardboardDog1") is easier to remember and much harder to crack. Even better, use a passphrase ("ilikemyCardboardDog1") or turn a long but memorable phrase, such as a song lyric, into an acronym.
  • Keep it impersonal. Avoid easy-to-guess details such as family or pet names. This also goes for using dates, postcodes, and parts of your driver's licence or phone number as your PIN.
  • Make it unusual. A quick web search will tell you if your new password or elements of it are featured on any 'most commonly used passwords' lists that do the rounds a few times a year.
  • If you write your login details down somewhere, make sure it's a safe place and out of sight. Don't keep passwords or PINs in an unencrypted file on a connected device. Even a photo of a written-out password can be easily found by modern software. If your recorded password or PIN is used to gain access to your accounts, the organisation in question might not be accountable.
  • Password managers help keep track of your login details and can create strong, randomised passwords without the need for you to remember them. Most of these services are subscription based.

Use official channels to ask for advice and information

It might be necessary to get in touch with organisations or institutions to manage accounts, documentation and other details.

If this is the case for you, use the official contact details on their website to avoid getting caught by scammers, who might have provided a false phone number or link to a fake website.

Social media accounts are a juicy target for hackers, giving access to a lot of personal information as well as direct communication with your friends

Don't give personal information to anyone who contacts you over the phone, messaging services or email. It's best to (politely) tell the person on the other end you'd feel more comfortable going through official channels. They might be able to provide you with a reference number to speed things along.

For free advice and phone consultations from specialised identity and cyber security counsellors, you can contact IDCare, a nonprofit national identity and cyber support service for Australia and New Zealand. IDCare is a registered charity and is often featured on Australian government websites.

Watch out for scammers

Common ways for scammers to get in touch are emails, phone calls and direct messages, but be wary of any unsolicited communications, no matter who they claim to be or represent.

Avoid sharing any personal information unless you're the one who's initiated contact via official channels.

Also watch out for phishing attempts, where the scammer will attempt to trick you into giving away personal or financial information via a fake website or by asking you to answer security questions, among other things.

Data breaches involving banking, credit and other financial information

For breaches involving financial information, change your online banking and PIN immediately, then contact your institution to let them know you've been part of a data breach. Use official channels rather than any links or phone numbers provided with a data breach notification, which might have been sent by scammers.

Check your purchase history or online statements for unusual activity such as unauthorised purchases or loans. Keep doing this for the near future to monitor account activity as scammers may not target you right away.

You can also request a copy or a ban on your credit report. If you do this, it's best to do it with all three main credit reporting bodies in Australia:

Data breaches involving government-related documentation and accounts

For documents such as a licence, identity card or Medicare card, get in touch with the respective government agency. Explain what happened and they should tell you how to proceed.

For tax-related information, contact the Australian Taxation Office (ATO) and they can monitor for suspicious activity involving your tax file number (TFN).

If any health or prescription records have been leaked, contact your health service provider.

Social media

Your social media account might have a lot of personal information that can be used to impersonate you. Take note of the information you've added to your account profile and consider ways that info could be used, such as confirming your identity in instances where you've forgotten your login details.

Contact any institutions or organisations you're worried could be tricked by a scammer who knows those personal details.

Also check your messaging services and social media activity to see if scammers have used your account to try and lure friends or followers into a trap.

Health and support services

Being affected by a major data breach can take a toll on your mental health. The Office of the Australian Information Commissioner (OAIC) has a list of suggested support resources to consider. But you can also talk to a licensed medical professional.

How do you know if you've been part of a data breach?

You'll often be notified if you've been part of a data breach, but you can look yourself or sign up to alert services.

Here are some ways you can find out if you've been part of a breach.

  • If the affected organisation must comply with the Australian Privacy Act, it's obliged to tell you if a data breach is likely to cause you serious harm.
  • You might read about it in the media, particularly if it's a large-scale or high-profile breach.
  • Websites such as Have I Been Pwned and Firefox Monitor can link your email address with many known data breaches.
  • The Australian Cyber Security Centre (ACSC) Alert Service is a free, government-operated subscription to receive email notifications about cyber security alerts in Australia, tagged with a status of low, medium, high or critical.
  • Some password managers and security suite software provide data breach alerts, which can include monitoring the dark web to see if your info is being traded illegally.

If you have any questions about sensitive information that your notification didn't cover, contact the organisation or institution directly. Sensitive information might include trade union memberships, criminal record, sexual orientation or practices, and some aspects of biometric information, among other things.

How to protect yourself from data breaches

There's not a whole lot you can do about the security practices of companies and institutions. You often also have limited control over what data they keep about you.

But there are a few measures you can take.

Set up 2FA or MFA

Multi-factor authentication (MFA) – also two-factor authentication (2FA) and two-step verification (2SV) – provides a strong defence against some types of data breaches. 

This is because you need more than just your username and password to log into an account – you also need an additional factor, which is most-often an authentication app on your phone or a code received via SMS, though the former of those two is safer. Not all online accounts support MFA, but many larger companies and institutions do.

Don't give out your personal information to anyone who contacts you over the phone, messaging services or email

But MFA doesn't hide your information – it only helps to stop people logging into a protected account. If a data breach included documents, financial details, medical records or personal information, that's outside of MFA's domain.

And if your MFA-protected account is caught in a data breach, you should still change your login details as soon as possible. This is especially important if you use that password or PIN for other accounts which might not support MFA, so change those too.

Be careful what you share

A lot of the information you share online is optional, even if data tracking is enabled by default. When signing up to a new account, take note of which details are required and which are optional (e.g. date of birth, location, photo of your face, etc.) and consider whether the account requires your real name.

Not all online accounts will have the same security levels as a larger company or institution. If it's something you plan on using only a handful of times, you can use a disposable/temporary email address using websites such as such as Temp-Mail, 10 Minute Mail, and Mail Proof, among others. If that company is breached, they won't have your email address.

Be smart with passwords

Good password practices are crucial for protecting yourself against data breaches. Always create a strong password and use a different password for each account. Password managers can help with this.

Tweak data tracking

Many apps and online accounts have privacy settings you can adjust to limit the amount of data a company collects about you.

Phone apps and social media services are particularly infamous for this, as are Google and Microsoft devices. But have a think about what services you use that might be tracking your data and do a web search for how to adjust their privacy settings.

Nothing's perfectly safe

There's simply no way to use online services without incurring risk. Some of that risk is up to you, but when it comes to data breaches, much of it's out of your hands.

If you do get caught up in a breach, remember to act quickly and calmly. Research the degree of the breach and ask for further details about your stolen information from the affected organisation or institution. Carefully consider the types of data that have been stolen and plan your response accordingly.

Remember you can still mitigate some threats with good security practices, online habits and by limiting the information you share with online accounts, be it publicly or privately.

We care about accuracy. See something that's not quite right in this article? Let us know or read more about fact-checking at CHOICE.

Stock images: Getty, unless otherwise stated.