given that CASA has for a number of years contacted out their ASIC issuing program, I'd suggest possibly a leak there.
A smallish company with less tha 100 staff recently had their HR files hacked and all personal information including names, addresses, annual salary and TFN all harvested. The result was false tax returns lodged and paid by the ATO to the tune of something like $500k. Now there's an organisation that leaks like a sieve.