Security at Athena

At Athena we take security seriously. Our cyber security program and dedicated security team are focused on keeping our systems and your data safe. We’re happy to answer any questions about your security at security@athena.com.au or privacy at hello@athena.com.au.

But read on, we may have an A to your Q below.

Protecting your data

Access to data is limited only to our staff and systems that need it and only for when and what they need it for.

When requesting documents to support your loan application, we’ll always ask you to provide these via our secure portal, rather than email.

We only retain data for as long as required to support our operational, regulatory and legal obligations. We securely destroy data once it’s no longer required.

Protecting your account

What we do

We ask for Multi factor authentication on all Home Hub logins with settled loans, via an SMS code sent to your phone. For added security, you’ll need to do this again if you request a redraw.

After a period of inactivity, your Home Hub session expires, so you’ll need to login again.

Minimum requirements for passwords are enforced; simple (and easily hacked) passwords are not permitted.

What you can do

Create a fierce password - that you don't use anywhere else, hard for others to guess.

So you don’t forget it, consider using a password manager software to safely store your password(s). There’s more on being a password guru here: Creating Strong Passphrases | Cyber.gov.au

Change your password every season. Call us on 13 35 35 to request a reset, or use https://id.athena.com.au/forgotpassword. Have a read of the strong password tips above before selecting your new one.

When your phone or computer have updates, install them, it’s safer!

Stay vigilant. Keep an eye out for dodgy emails that say they are from Athena but don’t “feel right”. We’ll never ask for your password or personal information over email or SMS. Better safe than sorry; if in doubt, call us on 13 35 35 to check.

Our Security Program

Our security program is continuously aligned, tested and iterated upon based on industry best practice.

The security frameworks we use as a benchmark: NIST Cybersecurity Framework, ISO/IEC 27001, SOC 2, and the Australia Cyber Security Centre Essential 8.

The security of our suppliers and partners can directly affect our own. We choose whom we work with carefully, and ensure that they also implement good security.

The fundamentals have to be watertight:

  • Strong controls on access to Athena systems and customer data (with extensive use of multi-factor authentication);
  • Encryption of all sensitive data (including customer information) both in transit and at rest;
  • CI/CD pipeline to enforce code security at every stage of the Software Development Lifecycle;
  • Continuous logging and monitoring to detect controls failure and abnormal activities and to ensure timely response;
  • Dedicated security team and partnerships in place with specialized incident response firms in the event of a major security incident.

More on our security protocol

Data security

All sensitive and customer data is encrypted both in transit and at rest, using TLS protocols and AES-256 encryption algorithm. We also have documented standards for key management and encryption requirements based on data classification. We continuously monitor our environment to ensure compliance to these standards.


We only retain data for as long as required to support our operational, regulatory and legal obligations, and securely destroy data once it is no longer required.

Access Control

We follow the Principle of Least Privilege, which states that a subject should be given only the permissions needed to complete its role and responsibilities. This means that we limit access to data and systems only to people and processes that need it, to minimise data exposure. In particular, this principle is strictly enforced for customer data – access is provided only to those who require it for their role.


When staff depart Athena, all access to systems and services is revoked. In addition, we regularly review staff access levels for all systems, and address any gaps promptly.


System to system access credentials are rotated frequently via an automated workflow and regularly audited.

Supply Chain Risk Management

We have a third party assessment program to review the security of our suppliers and partners that we choose to work with, ensuring that they meet our security standards. If a supplier does not meet our baseline we will choose not to continue that relationship.


The Principle of Least Privilege applies here too - if a supplier or partner requires access to Athena data or systems, this is limited to what is required for the purpose for which they have been engaged.

Awareness and Training

Security training sessions are run for all new staff, with regular refreshers. Security culture is important, and our security team actively engages with all parts of Athena to ensure staff know how to perform their role securely.

Continuous Monitoring and Threat Detection

We have a dedicated Security Operations Centre team which monitors logs and investigates alerts received through our centralized logging platform.


We also performs threat hunting and discovery activities on a regular basis and we leverage on threat intelligence to identify emerging threats and iterate on all aspects of our security program.

Network Security

Our approach is aligned with the Zero Trust Security Model, in which we do not place any inherent trust in the network, nor have a traditional “perimeter”. Instead, we place controls around the systems and data we use and ensure that only verified identities can access them in a time-boxed fashion.


In line with the Principle of Least Privilege previously referenced, we limit access to systems and services to the source networks and geographies that require access to them.

Secure Software Development Practice

We use a CI/CD pipeline and we segregate development, test and production environments. All our code is subject to review before deployment in the production environments. and that includes regressive testing, automated code security scanning and code review.


Security is actively engaged as part of the technical design process, and security patterns are provided for common components to promote safe design.

Security Incident Management

Whilst we do everything we can to prevent security incidents, we acknowledge that no organisation can be 100% safe. To ensure we’re prepared for a security related incident, we have a documented Security Incident Response framework and a number of technical incident response playbooks we iterate on regularly.


Athena will promptly alert affected customers of major incidents impacting Athena services or data, and of any incidents affecting the confidentiality and integrity of user data, in line with the Athena Privacy Policy.

Athena acknowledges the traditional owners of the land on which we gather the Gadigal people of the Eora nation. We acknowledge that sovereignty was never ceded and respect their continued and continuing connection to this place.