Security of your information and privacy

• Data encryption – All sensitive data, including customer information, is encrypted both in transit and at rest.
• Strict access controls – Where possible we enforce multi-factor authentication (MFA) on all internal systems to ensure only authorised staff have access when needed.
• Security audits & compliance – We continuously benchmark our security program against NIST Cybersecurity Framework, ISO/IEC 27001, SOC 2, and the Australia Cyber Security Centre Essential 8. Regular internal and third-party assessments help us maintain and strengthen our security posture and practices.
• Data handling and retention – We securely store and process customer data only for as long as necessary to meet operational, regulatory, and legal obligations. When requesting documents (such as for loan applications), we prefer you to upload them via our secure portal rather than email for enhanced protection.
• Supplier security – We have a third party supplier assessment program to review the security of our suppliers and partners, as their security directly impacts ours. If a supplier does not meet our baseline we will choose not to work with or continue that relationship.
• Secure software development – Security is enforced at every stage of our software development lifecycle, with CI/CD pipeline security controls ensuring code integrity.
• Continuous monitoring & incident response – Our security team monitors activity in real-time to detect, investigate and respond to threats as necessary.

We provide passwordless authentication to enhance security and simplify access. Instead of passwords, we use time-based, one-time passcodes (OTPs) via email and SMS, ensuring only you can log into your account. Read more about multi-factor authentication - Multi-factor authentication | cyber.gov.au

Multi-factor OTP is significantly more secure than traditional password + SMS OTP combinations as it:

• Eliminates password-based attacks – Since there’s no password to steal, phishing, credential stuffing, and brute-force attacks are rendered ineffective.

• Requires real-time access to both your phone and email – Unlike passwords, which can be stolen and used anywhere in the world, OTPs require real-time access to your phone or email.

• Prevents SIM swapping exploits – Even if an attacker hijacks your phone number, they still need access to your email to complete authentication.

• Time-sensitive codes – OTPs expire quickly and can’t be reused, reducing the risk of unauthorised access.

• Stronger multi-factor authentication (MFA) by default – Instead of relying on a single weak password, our system inherently requires two independent authentication factors.

• Customer choice of multi-factor authentication – You can choose to use SMS or enable biometrics as additional factors for simpler, more secure access

We maintain strict security around the domains and email addresses we use to communicate with you.

Official domains

Always ensure you are interacting with a website that belongs to Athena. All our domains are accessed using the HTTPS protocol.

• https://athena.com.au
• https://mortgagechoice.athena.com.au
• https://lmg.athena.com.au
• https://athl.co (used in SMS messages)

Verified email addresses

All our official communications come from email addresses ending in:

• @athena.com.au
• @mortgagechoice.athena.com.au
• @lmg.athena.com.au

SMS messages

Messages from us come from our registered numbers. If you receive an SMS from an unknown sender claiming to be us, report it immediately.

• 0429 333 555 (Athena)
• 0483 900 880 (Mortgage Choice Freedom)
• 0483 988 185 (Apollo by LMG)
• Athena
• MC Freedom
• Apollo

We take extra precautions to ensure our communications are safe and trustworthy.

• We never ask for your password in emails – In fact, we don’t even have user generated passwords - be aware of scams which may attempt to have you disclose secure information.
• We minimise links in emails – To reduce phishing risks, we try to avoid unnecessary links or, offer you an alternative way to reach the same destination. Always validate links have taken you to a trusted domain.
• How to recognise official emails and SMS – We will always use our verified domains and official SMS numbers.

Your personal device, like a smartphone, is central to your security. Not only does it contain sensitive data (like photos, emails and messages), it also serves as a key authentication method for your account.

• Practice good physical security: Keep your devices in a safe location and be mindful of your surroundings when accessing sensitive information.
  • Never leave your device unattended in public places, such as cafés, airports, or shared workspaces.
  • Be aware of shoulder surfing – If entering a passcode or OTP in public, ensure no one is watching.
  • Physically secure your device – Use strong, unique PIN codes or biometrics, enable automatic locking, and consider using device tracking features like ‘Find My iPhone’ or ‘Find My Device’ in case of loss or theft.
  • Consider privacy screen protectors – These limit screen visibility from side angles, reducing the risk of unauthorised viewing.
• Enable device lock: Use Face ID, fingerprint, or a PIN to protect your phone. Set a short screen lock time to minimise unauthorised access.
• Disable message preview from lock screen: Prevent sensitive information, such as OTPs and sensitive messages, from being visible on your lock screen. This reduces the risk of unauthorised access if someone gains possession of your phone.
  • iOS: Go to Settings > Notifications > Messages (or Email) > Show Previews > Select 'Never' or 'When Unlocked'.
  • Android: Go to Settings > Notifications > Messages (or Email) > Lock Screen > Select 'Do not show notifications' or 'Show content only when unlocked'.
• Keep your software up to date: Regularly update your computer, phone and email applications.
• Use a secure email provider: Enable multi-factor authentication (MFA) on your email account.
• Beware of phishing attempts: If an email or SMS looks suspicious, do not follow any links.

Traditional passwords are vulnerable to attacks like phishing, credential stuffing, and brute-force attempts. By using passwordless authentication with one-time passcodes (OTPs) via email and SMS, we reduce the “attack surface” and enhance security while making login faster and easier.

If your phone is lost or stolen, take the following steps immediately:

1. Lock your phone remotely using security features like Find My iPhone or Find My Device.
2. Reset your email password to prevent anyone from accessing your OTPs.
3. Contact us so we can apply additional security measures to your account.
4. Enable a strong device lock (PIN, fingerprint, or Face ID) to prevent unauthorised access.

Knowing your email address alone isn’t enough to access your account. They would also need access to your phone or email inbox to retrieve the OTP and also pass either an SMS OTP or biometric MFA challenge. We recommend enabling multi-factor authentication (MFA) on your email account for additional protection.

If you lose your phone, follow these steps:

1. Use remote tracking services (Find My iPhone or Find My Device) to locate or erase your phone.
2. Change your email password immediately to prevent unauthorised access to OTPs or allowing a thief to reset passwords for your other services.
3. Contact us to notify our security team and apply additional account protections.

To speed up login you can enrol your device to use biometric authentication (e.g., Face ID or fingerprint) for the Athena App or Home Hub.

• Ensure your registered phone number works internationally to receive SMS OTPs.
• Use a trusted and secure internet connection to access your email OTPs.
• Consider setting up a backup email authentication method before you travel.
• Use a VPN if you experience issues accessing your account due to regional restrictions.

To confirm whether an email or SMS is legitimately from us:

• Check the sender's email address – All our emails come from @athena.com.au.
• Verify any links before clicking – They should always point to athena.com.au.
• We never ask for passwords – If you receive a message asking for credentials, it’s a scam.
• If unsure, contact our team directly through our official website.

If you receive a suspicious message claiming to be from us:

• Do not click any links or open attachments
• Do not enter any personal information
• Report it to us immediately by forwarding the message to security@athena.com.au.
• Delete the message once reported.

All sensitive and customer data is encrypted both in transit and at rest, using TLS protocols and AES-256 encryption algorithm. We also have documented standards for key management and encryption requirements based on data classification. We continuously monitor our environment to ensure compliance to these standards.

We only retain data for as long as required to support our operational, regulatory and legal obligations, and securely destroy data once it is no longer required.

We follow the Principle of Least Privilege, which states that a subject should be given only the permissions needed to complete its role and responsibilities. This means that we limit access to data and systems only to people and processes that need it, to minimise data exposure.

In particular, this principle is strictly enforced for customer data – access is provided only to those who require it for their role.

When staff depart Athena, all access to systems and services is revoked. In addition, we regularly review staff access levels for all systems, and address any gaps promptly.

System to system access credentials are rotated frequently via an automated workflow and regularly audited.

We have a third party assessment program to review the security of our suppliers and partners that we choose to work with, ensuring that they meet our security standards. If a supplier does not meet our baseline we will choose not to continue that relationship.

The Principle of Least Privilege applies here too - if a supplier or partner requires access to Athena data or systems, this is limited to what is required for the purpose for which they have been engaged.

Security training material is provided for all new staff, with regular refresher courses given. Security culture is important, and our security team actively engages with all parts of Athena to ensure staff know how to perform their role securely.

We have a dedicated Security Operations Centre team which monitors logs and investigates alerts received through our centralised logging platform.

We also performs threat hunting and discovery activities on a regular basis and we leverage threat intelligence to identify emerging threats and iterate on all aspects of our security program.

Our approach is aligned with the Zero Trust Security Model, in which we do not place any inherent trust in the network, nor have a traditional “perimeter”. Instead, we place controls around the systems and data we use and ensure that only verified identities can access them in a time-boxed fashion.

In line with the Principle of Least Privilege previously referenced, we limit access to systems and services to the source networks and geographies that require access to them.

We use a CI/CD pipeline and we segregate development, test and production environments. All our code is subject to review before deployment in the production environments. and that includes regressive testing, automated code security scanning and code review.

Security is actively engaged as part of the technical design process, and security patterns are provided for common components to promote safe design.

Whilst we do everything we can to prevent security incidents, we acknowledge that no organisation can be 100% safe. To ensure we’re prepared for a security related incident, we have a documented Security Incident Response framework and a number of technical incident response playbooks we iterate on regularly.

Athena will promptly alert affected customers of major incidents impacting Athena services or data, and of any incidents affecting the confidentiality and integrity of user data, in line with the Athena Privacy Policy.