‍Notification of cyber incident

Dear valued clients,

We have published this page to let you know about a recent privacy breach at Diversity Financial Group that involved some of your personal information. We explain below what happened, how we have responded and what it means for you.

What happened?

On 8 September 2025, we identified that an unknown third party had obtained unauthorised access to part of our computer system, hosted by a third-party provider on a cloud-based storage platform. Upon becoming aware of the issue, we engaged an external forensic specialist to investigate. As part of this investigation process, the third-party storage provider was directed to shut down access to its platform.

The investigation confirmed that unauthorised access to our system occurred through a phishing email, which in turn enabled personal information stored on our system to be accessed for a period of nearly two weeks. However, the forensic report was unable to confirm whether any of the data accessed during the incident was copied or removed from our system.

We sincerely apologise for any distress this news may cause you.

What information was affected?

The types of personal information that may have been impacted include:

• ‍Contact information (address, email address, phone number);

• Name and date of birth;

• Employment and payroll details;

• Medicare information;

• Bank account details;

• Tax file number;

• Driver licence details;

• Passport details;

‍What have we done in response?

Following the forensic investigation, we have acted by:

• contacting the relevant authorities, including the Office of the Australian Information Commissioner;

• resetting credentials for the compromised account and associated services;

• undertaking dark web monitoring to establish whether any of the data has been disclosed online; and

• enabling new multi-factor authentication on all devices utilised in our business.

We will provide a further update if we discover that the above information has been published on the dark web.

What does this mean for you?

As a precautionary measure, you should carefully review the information that was affected by this incident and think about whether this could result in you experiencing any harm. Some of the proactive steps you may consider taking to protect yourself include:

Personal Information

• Be aware of emails and telephone calls from people requesting your personal details, (especially things like your date of birth, residential address, email address, username or passwords which are often used to verify your identity).

• Change your email account password and enable multi-factor authentication where you can.

• Contact IDCARE on 1300 432 273 or visit www.idcare.org who can provide you with additional guidance on the steps you can take to protect yourself from identity fraud. IDCARE has identity and cyber support services available to organisations which provide affected individuals with their own IDCARE Case Manager and exclusive access to the IDCARE Client Portal where IDCARE can carry the load for individuals in seeking to address their risks.

• If you start to receive unwanted telemarketing calls, consider registering your number with the Australian Communications and Media Authority’s ‘Do Not Call register’ by visiting www.donotcall.gov.au/consumers/register-your-numbers. You can also contact your service provider and request to change your number.

Financial information

• Alert your financial institution so that they can implement additional monitoring and security protocols on your account.

• Closely monitor your financial statements for unauthorised transactions. If you identify a transaction you didn’t make, report it immediately to your financial institution.

• Change your online bank account password, banking PIN and enable multi-factor authentication if possible.

• Contact one of Australia’s three credit reporting agencies on one of the links below to confirm if your identity has been used to obtain credit without your knowledge or to request for a credit ban to be put in place:

  • Equifax: https://www.equifax.com.au/personal/products/credit-identity-protect

  • Illion: https://www.creditprotect.illion.com.au/

  • Experian: https://www.experian.com.au/consumer/request-a-ban

Government identifiers

• TFN – Contact the Australian Tax Office on 1800 467 033 or your superannuation fund so that they can consider placing additional monitoring and security protocols on your account.

• Medicare cards and numbers – Contact Services Australia for information on how to request a replacement card or new Medicare number. This will prevent people from being able to use the old card details for fraud

• Australian passports or numbers – Contact the Australian Passport Office for information on how to get a replacement passport.

• Driver’s license or license numbers – Contact the state or territory authority which issued the licence for information:

  • Australian Capital Territory – Access Canberra

  • New South Wales – Service NSW

  • Northern Territory – NT Government

  • South Australia – South Australian Government

  • Tasmania – Service TAS

  • Victoria – Vic Roads

  • Western Australia – Department of Transport

‍More information and making a complaint

‍If you have any concerns about what has happened or would like further information, you can contact Cameron Merritt on 0494 723 503 or info@dfg.financial.

‍If you are not satisfied with how we have handled this incident or you have experienced some harm as a result, you can make a privacy complaint. You can do so by contacting us using the above details. In doing so, it would be helpful if you could explain how you have been affected by the incident and what you would like us to do to resolve your complaint. If we cannot resolve your complaint, you can then make a complaint to the Office of the Victorian Information Commissioner (OVIC) at https://ovic.vic.gov.au/privacy/for-the-public/complaints/.

‍ ‍