The Australian Sports Commission has been investigating the unauthorised access of an agency email account since 7 November 2019 when a staff member reported unusual activity on their account.

The investigation found no evidence any other ASC email accounts or systems have been compromised.

With close support from the Australian Cyber Security Centre and Microsoft, the ASC has undertaken a thorough review into the incident. At this stage of the investigation we have determined that it is not possible to conclusively determine if any personal information contained in the email account was extracted by an unauthorised person.

As a precaution and to ensure the continued safety of people’s information, we are making it a priority to inform and support every individual who may have been impacted.

We have established that the email account contained references to approximately 18,900 individuals. The vast majority of these individuals are referenced by either their name and/or birthdate, or other basic contact information.

There are a small number of people that we consider to have had more sensitive personal information contained within the account, such as medicare card or driver licence details, passport information and health information. We are contacting each of these people directly to inform them and provide additional support.

We take our responsibility for protecting private and trusted information very seriously and have invested heavily in keeping our IT security systems strong and secure.

To protect the ongoing security of personal information referenced in the email account, we have engaged with IDCARE, a national identity and cyber support service, to provide daily online monitoring to detect any inappropriate use.

The ASC has set up a support line, which can be accessed by calling 1800 318 237.

We have engaged IDCARE, a national identity and cyber support service. Their Case Managers work with tens of thousands of Australians each year who confront personal information and privacy risks. You can contact IDCARE via their online support request form and by quoting the referral code ASP 19 H.

The incident has been reported to the Office of the Australian Information Commissioner and referred to the Australian Federal Police. The Police Report Number for this incident is PN 6416080.

Depending on the type of information that may have been exposed, IDCARE recommends you consider the following proactive measures.

• Inform your financial institution that your personal information may be at risk of identity misuse and ask them what additional measures they recommend.
  • An incident involving a credit card does not automatically mean that the credit card will be cancelled and a new one reissued. Talk to your institution about your options.

• Change any online banking passwords and if you haven’t already, explore whether your online banking has multi-factor authentication security (such as using a token PIN or SMS code – in addition to your username or account ID and password).

• Check out your Credit Reports for any unexplained credit checks.
  • Every Australian can get free access to their credit reports. You may have three different credit reports from each of Australia’s three separate credit reporting bureaus.
  • To apply for your credit report follow the steps in IDCARE’s Fact Sheet – Credit Reports Australia.
  • If you have a foreign passport or driver licence talk to IDCARE about your options (submit a support request form and use the referral code ASP 19 H).
  • If you find entries on your credit report that cannot be explained or are incorrect, such as a different address, please contact IDCARE immediately.

• If you think you may experience misuse involving credit, you can also apply for a Credit Ban with each of Australia’s credit reporting bureaus.
  • Like credit reports, credit bans are free under Australian privacy laws.
  • They sound bad, but a credit ban will prevent credit providers from accessing your credit report as part of a credit check. This helps to safeguard against anyone using your information to fraudulently take out credit in your name.
  • Credit bans won’t upset any existing credit lines you may have, such as credit cards and loans.
  • They are only in place for 21 days in Australia, but you can ask for an extension if you think you face an enduring risk and provide a police report number. The police report number for this incident provided by the AFP is PN 6416080.
  • To apply for credit bans follow the steps in IDCARE’s Fact Sheet – Credit Bans Australia.
• Remain vigilant to unauthorised requests to port your mobile telephone number to another provider.  
  • If this occurs or your phone loses a permanent signal, contact your telecommunications service provider to confirm whether a request for porting has occurred, and if so, request a reversal.
  • You should also contact your financial institution to temporarily suspend online banking and change your email password and set up multi-factor authentication with another mobile number or email address. More information about this type of scam can be found at IDCARE’s Fact Sheet on Porting.

• Consider contacting the Department of Foreign Affairs Australian Passport Information Service about organising a replacement passport.
• More information about renewing your passport is available on the Australian Passport Office website.

• You may wish to notify your driver licence issuer that your licence may be compromised. Some states and territories make a notation on a person’s account if they believe their licence is at risk. This alone will not prevent someone from misusing your licence.
• In most states and territories a driver licence number cannot be changed. And for the states that do (Queensland and Victoria), they will only change the licence number if an individual experiences identity misuse (not just the exposure or theft of the licence).

• Consider contacting the Department of Human Services Identity Security and Response team (ISAR) by calling 1800 941 126 (8 am to 5 pm AEDT Monday to Friday) to let them know that your Medicare Card may have been accessed by an unknown third party.
• ISAR will connect you with the Medicare Help Desk who will assist you with obtaining a new Medicare Card.
• A replacement Medicare Card is free.
• Discuss with the Identity Security and Response team potential risks to your MyGov account, or if you don’t have one, risks relating to someone setting up one in your name.

There are limited ways sensitive health information can be misused for financial gain but this kind of information can be leveraged to facilitate blackmail. IDCARE advises that most threats to expose information are nothing more than a bluff. If you come across something unusual, it is advised not to respond, open links or attachments and report it immediately to IDCARE.

Unauthorised access of sensitive health information in and of itself can cause emotional distress. The ASC has set up a support line, which can be accessed by calling 1800 318 237.

• Change your email and social media passwords and activate multi-factor authentication if available.
• Remain vigilant to telephone call, SMS and email phishing scams. You can report suspicious activity to IDCARE. One of their case managers will work with you to determine what it is, what it could be, and what can be done about it.

You are not alone. Navigating and understanding response options can be difficult. IDCARE is available to work with you to explore your concerns and any needs you may have in protecting your identity and personal information. You can arrange to speak with an IDCARE Case Manager via the online form. Be sure to quote your ASC referral code ASP 19 H.

Even if you choose not to take any of the actions outlined above, IDCARE services remain open to you by using the referral code. However, the ability to respond and recover information lessens considerably if you respond to a suspicious email, SMS, or telephone call and enable access to accounts because of a deceptive act. So be particularly mindful of socially engineered attacks, including phishing emails, fake social media requests and messaging, text messages that require you to click on links, and telephone scammers.

The ASC has set up a support line, which can be accessed by calling 1800 318 237.

Additional information on privacy, your rights and complaints processes are available on the Office of the Australian Information Commissioner’s website or by calling their general enquiries line on 1300 363 992.

You can make a general complaint to the ASC via our website and view our Privacy Policy online.

IDCARE has a freely accessible public Learning Centre that contains information about the common types of methods criminals use to commit identity theft as well prevention tips and response advice. You can access their learning centre online.

Other useful information sources about scams and privacy freely available include:

• MoneySmart has information about financial, investment and insurance scams
• Scamwatch has information about how to recognise, avoid and report scams
• Stay Smart Online has information on the latest online threats and how to respond
• Report cybercrime securely to the Australian Cyber Security Centre at ReportCyber.