Privacy Commissioner John Edwards says he is monitoring the Yahoo hack that compromised up to 500 million users' accounts.
The hack affects a small portion of the 825,000 email accounts that Spark provides to users through its partnership with Yahoo.
Mr Edwards says the hack exemplifies the international nature of privacy, with the US Federal Trade Commission and Irish Data Protection Commissioner already working together to make inquiries into the incident.
He says the Yahoo hack included names, email addresses and security questions and answers used to reset passwords. Most Spark customers have probably not had their security questions and answers compromised.
It is not yet clear when Yahoo learned about the hack, which took place in 2014.
"We are grateful that Spark quickly alerted us about this breach and immediately began taking action to resolve it," Mr Edwards says.
"However, the fact that Yahoo may have known about the breach for a number of months before alerting the public shows why we need mandatory breach notification. Every day counts in a data breach and agencies need greater incentive to take a leaf out of Spark's book by promptly telling customers that their personal information has been compromised."
Proposed reforms to the Privacy Act 1993 include mandatory breach notification, where agencies must report breaches of a certain scale.
"When agencies lose customer data, they need to help those customers take steps to protect themselves by alerting them as quickly as possible," Mr Edwards says.
"This is particularly true with a breach of this size and with such sensitive information. Email accounts are often a central repository of peoples' online identities, so a compromised email account can lead to other information being compromised, such as banking and medical information."