Centrelink Data Allegedly Leaked on Cybercrime Forum A threat actor known as 2019 listed sensitive Centrelink data for sale on a cybercrime forum, as uncovered by threat researcher Dark Web Informer. The leaked records appear to originate from Centrelink’s Advice of Death form, which is used to report deaths and adjust payments for surviving family members. The compromised data includes highly personal details of over 2,100 deceased individuals, such as: - Full names, dates of birth and death - Medicare and Centrelink reference numbers - Home and hospital addresses - Next-of-kin details (names, phone numbers, addresses) - Aboriginal/Torres Strait Islander status - Funeral director and estate executor information - Signatures and declaration dates of notifiers Instead of demanding a ransom, the threat actor is offering the data for a one-time sale, accepting cryptocurrencies (Bitcoin, Ethereum, or Monero). Services Australia, the agency overseeing Centrelink, denied any breach of its systems, stating: “Our platforms and systems remain secure and have not been compromised.” The agency acknowledged monitoring dark web activity and suggested the data may have been exposed through a third-party compromise. It is working with the Australian Cyber Security Centre and other authorities to assess risks and implement additional security measures for affected individuals.

Services Australia Seeks New Powers to Compel Third-Party Breach Disclosures Amid Rising Cyber Threats Services Australia, which manages data for 27.5 million Australians, is pushing for expanded authority to require third parties to disclose breaches involving government identifiers, such as Medicare and Centrelink numbers. The move follows a dramatic surge in notifiable data breaches—from seven in 2022–23 to 82 in 2024–25—primarily driven by phishing attacks where individuals unknowingly shared credentials with impersonators. While the agency established response plans after the 2022 Optus and Medibank breaches, it currently lacks legal power to compel third parties to report incidents involving its identifiers. A federal audit recommended legislative reforms to mandate timely notifications, with support from the Attorney-General’s Department and the Office of the Australian Information Commissioner (OAIC). The audit also revealed systemic delays in breach reporting: 71% of the 165 notifiable data breaches (NDBs) reported to the OAIC between 2018–19 and 2024–25 were disclosed 50 or more days after detection. Internal reviews dating back to 2023 found Services Australia frequently missed the 30-day statutory assessment deadline, though the agency claims to have addressed these gaps by October 2023. In June 2025, Services Australia introduced a new "data breach mailout service" to directly notify affected individuals via mail or digital channels, though its effectiveness remains under evaluation. The proposed reforms aim to close gaps in breach transparency, particularly where third-party custodians hold sensitive government-linked data.