In the week since Optus first became aware of a major data breach that could have potentially affected more than 10 million Australians, emotions have been running high.
As the dust starts to settle, here’s what you need to do.
How do I know if my data has been compromised?
By now, you should have received either a text message or email from Optus to advise whether any of your details were leaked.
The telecommunications company said it continues to reach out to affected customers to confirm exactly what had been accessed.
On Wednesday (28 September), Minister for Business and Better Regulation Tara Cheyne said the Territory government had sought assurances from the company that all customers in the ACT who needed to replace their driver’s licence would be contacted by the end of the week.
Payment detail and account passwords have not been compromised as a result of this attack, Optus has confirmed.
So, my identity documents have been accessed. What next?
A cybersecurity expert at the Australian National University, Dr Vanessa Teague, said the first step is to apply for new documents and ensure the old ones have been cancelled.
In some cases, people will need to apply to Federal Government authorities to get a new Medicare card (which can be done online).
The new Medicare number will be the same, except for the last digit.
Services Australia has confirmed Medicare details cannot be accessed just with a Medicare card.
Others may have had their passport details leaked, and while authorities say no one can travel in your name using your details, it can still be used for identity theft.
Passports can be replaced online, through Australia Post or by contacting an Australian diplomatic mission.
It costs $193 to replace a passport, but the government is urging Optus to foot the bill.
What about my driver’s licence?
The ACT Government is calling for calm over replacement licences, saying only a small number (in the hundreds) of Canberrans will need a new one.
Anyone who has opened an Optus account since the start of this month will need a new licence. The government says that only the card number (not the licence number) needs to change because the Territory switched to a new system on 1 September, which requires both the licence number and the card number to verify your identity.
Optus will credit the $42.60 cost of a new licence to customers’ accounts.
What if I’m not in that cohort?
Customers who may want to replace their licence even if they aren’t in this “at-risk” cohort can do so at their own cost.
The more vulnerable cohort will be prioritised.
Licences can be applied for online, over the phone or at an Access Canberra service centre.
What else can I do to protect myself?
Dr Teague said while it might be unfortunate, there’s not much that can be done at an individual level.
“I’m ambivalent about some of the ‘pay attention to your situational awareness’ advice because this is not the responsibility of the people whose data was leaked,” she said.
“It’s not a bad thing to do but it detracts from the fact that once your identity documents are out there, you can’t do much but get it cancelled.”
She encouraged people to take advantage of offers to redo identity documents.
Optus is offering affected customers a year’s free subscription to a credit monitoring and identity protection service called Equifax Protect.
Dr Teague did note that Equifax was itself responsible for one of the world’s largest data breaches in 2017.
What about in the future?
Basically, think before you hand over identity documents and numbers to anyone.
“Avoid it as much as you can … and think about whether you can just say no,” Dr Teague said, although she acknowledged there are many circumstances where this is unavoidable.
Once again, she doesn’t think this should be the responsibility of the individual.
So, do we need regulations and laws to be changed?
According to Dr Teague, that’s a big yes.
“These problems are not going away while people remain under pressure to hand over their identity documents and numbers for ordinary, commercial transactions,” she said.
Instead of handing over identity documents, Dr Teague advocates for a system where documents and identifying numbers would be sighted, verified and not stored.
“That’s what identity documents were supposed to be for, but we’ve adopted this completely stupid protocol of identifying yourself over the internet by exposing all those numbers,” Dr Teague said.
What is law enforcement doing about all of this?
This morning (30 September), the Australian Federal Police (AFP), all state and territory police forces, the Australian Cyber Security Centre, Australian Banking Association, IDCARE and Customer Owned Banking Association announced they had set up Operation Guardian to help “shield affected customers” from the risk of identity crime and financial fraud.
For further information about the Optus data breach, visit Access Canberra.