ABN Lookup makes business verification easy — but in the age of data aggregation and harassment, ‘public-by-default’ exposure of sole trader identities is falling behind global registry norms.
The uncomfortable truth: ABN Lookup can act like a doxxing shortcut
ABN Lookup is designed as a public trust tool. It shows a business’s ABN and status, names (including entity names), and the state/territory plus postcode of the main business location — not street addresses or contact details.
That sounds reasonable — until you’re a sole trader.
ABN Lookup’s own documentation is explicit: for an individual/sole trader, the entity (legal) name is “your name.” Combined with a location signal (state + postcode), this creates a durable identity anchor: a public linkage between a real person and a business identifier.
In a world where personal data is routinely collected, repackaged, and redistributed, “small” public disclosures don’t stay small.
What ABN Lookup publishes (and why “not the address” isn’t the whole story)
ABN Lookup publishes a subset of ABR information — including names and state/postcode — and explicitly does not publish detailed contact information like address, email, or phone number.
But two design choices raise the stakes:
1) Sole traders are natural persons, not faceless entities
For sole traders, the public “entity legal name” is a personal name — by definition.
2) It scales cleanly (bulk + services)
ABN Lookup data isn’t only viewable one search at a time. A weekly Bulk Extract is published in XML and includes legal name plus state/postcode, and the dataset is maintained on data.gov.au.
This matters because modern abuse is often industrialized: repeated lookups, aggregation, and reuse.
The modern threat model: “data stitching” turns low-risk fields into high-risk outcomes
Doxxing rarely depends on a single database. The harm comes from collection + redistribution and the way different datasets can be linked over time.
A major doxxing literature review notes how publicly available data can become weaponized when it’s compiled and amplified for abuse.
ABN Lookup doesn’t need to publish a home address to become useful to someone trying to target a person. It only needs to reliably answer: “Which real person is behind this business identity?” When that linkage is public and stable, it can be misused.
Australia already recognizes the risk — but the burden is on the person at risk
ABR provides a process to request non-disclosure when publishing ABN details may create a personal safety risk or exceptional circumstances exist. If approved, key fields (including legal/historical name and postcode) won’t be public.
The problem is structural:
- In most cases, you apply for an ABN first, which can mean details are public until the request is finalized.
- Only certain sole traders with exceptional circumstances can apply concurrently to prevent interim exposure.
That’s public-by-default design with safety as an exception — backwards for 2026.
Global policy is converging on a different model: tiered transparency
Around the world, public registries are being forced to reconcile two legitimate goals:
- Verification and accountability
- Privacy and personal safety for natural persons
Here’s the pattern: keep the register useful for trust and compliance — but reduce broad public exposure of personal data, and use tiered access where needed.
Signals from around the world
| Registry / System | What changed (or what’s allowed) | What it implies |
|---|---|---|
| EU (beneficial ownership) | The EU’s top court found “general public” access to beneficial ownership information was an unjustified interference with privacy/data protection rights. | Public access isn’t automatically justified; proportionality matters. |
| UK (Companies House) | People can apply to remove a home address from the public register in specific situations, with replacement address requirements. | Verification can exist without permanent home-address exposure. |
| New Zealand (Companies Office) | Residential address suppression is available via application (and can require evidence like protection orders). | Risk-based suppression exists, but often requires proof. |
| France (INSEE/Sirene) | Natural persons can request non-disclosure consistent with GDPR objection rights. | Directory publication is not “inevitable” for individuals. |
| Singapore (ACRA) | ACRA moved to display a contact address in public records instead of a residential address (while still collecting residential address for official use). | “Public contactability” can be separated from residential privacy. |
| Canada (federal corporations) | Public disclosure includes registered office address and directors’ names and addresses. | A useful contrast: transparency-first regimes still exist — and remain contested. |
The takeaway: The world is not uniformly moving toward secrecy. It’s moving toward smarter disclosure: publish what the public needs, protect what enables targeting, and keep strong access for legitimate oversight.
A better blueprint for ABN Lookup: public verification, private identity
ABN Lookup’s core purpose is legitimate — verifying whether a business exists and is current.
What needs to change is the default exposure of sole trader legal identities.
Key design principle:
The public should be able to answer “Is this business real?”
without being able to easily answer “Who is the person behind it?”
What should be public vs protected
| Data element | Public layer (open) | Protected layer (restricted + audited) |
|---|---|---|
| ABN validity + status | ✅ | — |
| Business name(s) | ✅ | — |
| GST registration indicator (where relevant) | ✅ | — |
| Sole trader legal name | — | ✅ |
| Historical name changes | — | ✅ |
| Location signal | ✅ (coarser) | ✅ (precise) |
| Internal integrity / compliance fields | — | ✅ |
This is not “less transparency.” It’s purpose-based transparency.
“But transparency fights fraud” — yes. That’s why tiered access works.
The best argument for keeping names public is that verification reduces fraud and improves trust.
But global AML practice doesn’t require broadcasting sensitive personal data to everyone. FATF guidance emphasizes that beneficial ownership information should be held by a public authority/registry or equivalent mechanism that enables efficient access — not necessarily unrestricted public publication.
Australia itself is already walking this line elsewhere: ASIC announced (2 Feb 2026) that purchased company extracts will no longer contain residential addresses of officeholders, citing privacy/safety concerns and risk reduction for identity theft and cybercrime.
That’s the same balancing act ABN Lookup now needs for sole traders — but focused on legal names as the exposure point.
How to implement this without breaking commerce or compliance
- Default-safe for new sole traders
Stop publishing personal legal names by default. Publish business-facing identifiers and business names, keep legal name behind protected access. - Service/contact address model
Follow the pattern used in other registries: keep public contactability without exposing residential-linked data (Singapore’s “contact address” approach is a clean example). - Tiered access gateway
Allow vetted access for banks, regulators, courts, and other legitimate users — but require:- identity verification
- reason codes
- audit logs
- meaningful penalties for misuse
- Fast-track safety suppression
If credible safety risk is raised, suppress immediately pending review — not after harm. - Integrity upgrades behind the scenes
If you reduce public identity exposure, you should raise the bar on internal identity assurance so criminals can’t exploit reduced visibility (this aligns with FATF’s push for reliable, accessible ownership/control information for competent authorities).
What sole traders can do right now (practical, non-jargon)
If you believe publication creates a safety risk, ABR provides a non-disclosure process and explains what evidence may support it (e.g., statutory declarations, court orders, police reports, silent elector status).
Also be aware: ABR notes trading names collected before 28 May 2012 were displayed on ABN Lookup until 31 October 2025 — but the core issue remains the entity legal name for sole traders.
Conclusion: ABN verification should not double as a people-finder
ABN Lookup is meant to build trust in commerce. But publishing sole trader legal identities by default is an outdated design choice in an era of bulk data, aggregation, and doxxing harm.
The global direction is not blanket secrecy — it’s tiered transparency: publish what’s needed for trust, protect what enables targeting, and ensure legitimate oversight stays strong.
Australia doesn’t need less transparency. It needs smarter transparency.