Services Australia may be in line for new powers to force third-parties hit by data breaches involving government identifiers to disclose the incident quickly.
The agency, which holds data on 27.5 million Australians, has experienced a sharp rise in notifiable data breaches attributed to “malicious or criminal actions” over the past two years, growing from seven in 2022-23 to 82 in 2024-25.
These breaches “primarily involve incidents where customers have inadvertently provided personal information and myGov sign-in credentials to parties impersonating the agency,” Services Australia officials told the federal auditor.
Third-parties that hold caches of personal data, such as Medicare numbers and Centrelink reference numbers, also represent a problematic attack vector.
Services Australia put plans in place for dealing with these types of incidents in 2022 following the Optus and Medibank breaches.
However, these plans declare the agency “does not have legislated authority to compel third-parties to share information about a data breach or compromise event where agency issued credentials are impacted.”
This could be about to change, with the federal auditor recommending new powers that would compel breached third–parties to inform Services Australia of any incident involving Centrelink or Medicare identifiers.
“The Australian government [should] consider implementing arrangements to support Services Australia being provided with timely notification of third-party data breaches involving government-related identifiers such as Medicare numbers and Centrelink reference numbers,” the auditor recommended.
Both the Attorney-General’s department and the Office of the Australian Information Commissioner (OAIC) are noted as agreeing with the recommendation.
“Such arrangements could require legislative reform, which is a matter for [the] government,” the OAIC said in response.
Tardy notification
The audit also examined Services Australia’s performance when it comes to notifying the OAIC of data breaches in a timely fashion.
“Of 165 NDBs notified to OAIC between 2018–19 and 2024–25, 117 (71 percent) were reported to the OAIC 50 or more days after Services Australia became aware of the incident,” the audit found.
Delayed or downplayed data breach disclosures have been general problems with the notifiable data breaches scheme.
The audit reveals that delayed notifications from Services Australia have been a problem since at least 2023.
“A September 2023 internal audit report on notifiable data breaches found that Services Australia’s internal assessments of [breaches] were not being completed within the 30-day statutory timeframe,” the audit stated.
“This internal audit recommended that Services Australia implement a centralised ‘register for recording suspected data breaches to support’ monitoring and oversight of the breaches, and compliance with the 30‑day assessment requirement.
“Services Australia reported these recommendations as closed in October 2023. The [audit office] has not verified their implementation.”
The agency has also recently built a capability to disclose breaches to affected individuals.
“Services Australia advised the [auditor] on September 4 that, since June 2025, a new ‘data breach mailout service’ has been instituted to enable Services Australia staff to provide [breach] notifications to affected customers via surface mail or electronic means,” the audit stated.
“The impact and success of this is subject to ongoing evaluation and monitoring by Services Australia.”