NOTICE OF A DATA MATCHING PROGRAM – SERVICES AUSTRALIA AND SUMO CUSTOMERS AFFECTED BY FEBRUARY 2024 DATA BREACH

This notice refers to the commencement of a data matching program by Services Australia (the Agency) using information provided by Sumo about Sumo customers affected by the February 2024 data breach (Data Breach). The initial analysis provided by Sumo indicates that there may be approximately 15,800 impacted customers.

Where an Agency customer’s Medicare number or Centrelink Reference Number (CRN) was disclosed as part of the Data Breach, the following data, to the extent captured by and available to Sumo, has been provided by Sumo to the Agency:

• card number, expiry date and customer name appearing on Medicare or Centrelink concession card
• customer’s date of birth
• customer’s address.

The Agency will compare the data provided by Sumo to Medicare and Centrelink customer records held by the Agency. This will assist the Agency to identify affected customers and apply proactive security measures to affected customer records.

A protocol document describing this program has been developed in consultation with the Office of the Australian Information Commissioner (OAIC). Copies of the document are available from:

https://www.servicesaustralia.gov.au/data-matching-activities-for-third-party-organisation-data-breaches?context=1

The Agency adheres to the OAIC Guidelines on data matching in Australian Government administration which includes standards for data matching to protect the privacy of individuals. The Agency’s privacy policy is available at:

https://www.servicesaustralia.gov.au/organisations/about-us/publications-and-resources/privacy-policy