**Services Australia Seeks New Powers to Compel Third-Party Breach Disclosures Amid Rising Cyber Threats**
Services Australia, which manages data for 27.5 million Australians, is pushing for expanded authority to require third parties to disclose breaches involving government identifiers, such as Medicare and Centrelink numbers. The move follows a dramatic surge in notifiable data breaches—from seven in 2022–23 to 82 in 2024–25—primarily driven by phishing attacks where individuals unknowingly shared credentials with impersonators.
While the agency established response plans after the 2022 Optus and Medibank breaches, it currently lacks legal power to compel third parties to report incidents involving its identifiers. A federal audit recommended legislative reforms to mandate timely notifications, with support from the Attorney-General’s Department and the Office of the Australian Information Commissioner (OAIC).
The audit also revealed systemic delays in breach reporting: 71% of the 165 notifiable data breaches (NDBs) reported to the OAIC between 2018–19 and 2024–25 were disclosed 50 or more days after detection. Internal reviews dating back to 2023 found Services Australia frequently missed the 30-day statutory assessment deadline, though the agency claims to have addressed these gaps by October 2023.
In June 2025, Services Australia introduced a new "data breach mailout service" to directly notify affected individuals via mail or digital channels, though its effectiveness remains under evaluation. The proposed reforms aim to close gaps in breach transparency, particularly where third-party custodians hold sensitive government-linked data.
Services Australia cybersecurity rating report: https://www.rankiteo.com/company/services-australia
"id": "SER1765340155",
"linkid": "services-australia",
"type": "Breach",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '27.5 million',
'industry': 'Public Sector',
'location': 'Australia',
'name': 'Services Australia',
'size': "Large (27.5 million Australians' data)",
'type': 'Government Agency'}],
'attack_vector': ['Phishing', 'Third-Party Compromise'],
'customer_advisories': 'Data breach mailout service (since June 2025)',
'data_breach': {'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal information',
'Government identifiers',
'Credentials']},
'description': 'Services Australia may gain new powers to compel '
'third-parties to disclose data breaches involving government '
'identifiers quickly. The agency has seen a rise in notifiable '
'data breaches due to malicious or criminal actions, primarily '
'involving customers inadvertently providing personal '
'information and myGov credentials to impersonators. '
'Third-parties holding Medicare and Centrelink identifiers are '
'a problematic attack vector. The agency currently lacks '
'authority to compel third-parties to share breach '
'information, but legislative reforms are being considered.',
'impact': {'data_compromised': ['Personal information',
'myGov sign-in credentials',
'Medicare numbers',
'Centrelink reference numbers'],
'identity_theft_risk': 'High'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Need for timely breach notifications, centralized breach '
'monitoring, and legislative authority to compel '
'third-party disclosures.',
'post_incident_analysis': {'corrective_actions': ['Legislative reforms for '
'third-party breach '
'notifications',
'Centralized breach '
'monitoring register',
'Data breach mailout '
'service'],
'root_causes': ['Customer inadvertent disclosure '
'of credentials to impersonators',
'Third-party data breaches '
'involving government identifiers',
'Delayed internal breach '
'assessments']},
'recommendations': ['Implement legislative reforms to compel third-parties to '
'notify Services Australia of breaches involving '
'government identifiers.',
'Improve internal breach assessment processes to comply '
'with the 30-day statutory timeframe.',
'Continue evaluating the effectiveness of the data breach '
'mailout service.'],
'references': [{'source': 'Australian National Audit Office'}],
'regulatory_compliance': {'regulations_violated': 'Notifiable Data Breaches '
'(NDB) scheme (delayed '
'notifications)',
'regulatory_notifications': '165 NDBs notified to '
'OAIC (2018–2025)'},
'response': {'communication_strategy': 'Data breach mailout service (since '
'June 2025)',
'incident_response_plan_activated': 'Yes (plans in place since '
'2022)'},
'threat_actor': 'Malicious or criminal actors',
'title': 'Services Australia Third-Party Data Breach Notification Powers',
'type': ['Data Breach', 'Credential Theft'],
'vulnerability_exploited': 'Customer inadvertent disclosure of credentials'}