30 September 2022

Had your data compromised in the Optus hack? Here's what to do now

| Lottie Twyford
Join the conversation
Optus store

It’s still unknown how many Canberrans have been caught up in the Optus data breach. Photo: File.

In the week since Optus first became aware of a major data breach that could have potentially affected more than 10 million Australians, emotions have been running high.

As the dust starts to settle, here’s what you need to do.

How do I know if my data has been compromised?

By now, you should have received either a text message or email from Optus to advise whether any of your details were leaked.

The telecommunications company said it continues to reach out to affected customers to confirm exactly what had been accessed.

On Wednesday (28 September), Minister for Business and Better Regulation Tara Cheyne said the Territory government had sought assurances from the company that all customers in the ACT who needed to replace their driver’s licence would be contacted by the end of the week.

Payment detail and account passwords have not been compromised as a result of this attack, Optus has confirmed.

Person holding licence

The Territory government says most Canberrans are at low risk of fraud following the Optus breach. Photo: Lottie Twyford.

So, my identity documents have been accessed. What next?

A cybersecurity expert at the Australian National University, Dr Vanessa Teague, said the first step is to apply for new documents and ensure the old ones have been cancelled.

In some cases, people will need to apply to Federal Government authorities to get a new Medicare card (which can be done online).

The new Medicare number will be the same, except for the last digit.

Services Australia has confirmed Medicare details cannot be accessed just with a Medicare card.

READ ALSO Redeveloped War Memorial’s new galleries to include frontier conflicts

Others may have had their passport details leaked, and while authorities say no one can travel in your name using your details, it can still be used for identity theft.

Passports can be replaced online, through Australia Post or by contacting an Australian diplomatic mission.

It costs $193 to replace a passport, but the government is urging Optus to foot the bill.

READ ALSO Public health emergency is over: mask, vax mandate scrapped

What about my driver’s licence?

The ACT Government is calling for calm over replacement licences, saying only a small number (in the hundreds) of Canberrans will need a new one.

Anyone who has opened an Optus account since the start of this month will need a new licence. The government says that only the card number (not the licence number) needs to change because the Territory switched to a new system on 1 September, which requires both the licence number and the card number to verify your identity.

Optus will credit the $42.60 cost of a new licence to customers’ accounts.

What if I’m not in that cohort?

Customers who may want to replace their licence even if they aren’t in this “at-risk” cohort can do so at their own cost.

The more vulnerable cohort will be prioritised.

Licences can be applied for online, over the phone or at an Access Canberra service centre.

READ ALSO School uniforms – equaliser or outdated?

What else can I do to protect myself?

Dr Teague said while it might be unfortunate, there’s not much that can be done at an individual level.

“I’m ambivalent about some of the ‘pay attention to your situational awareness’ advice because this is not the responsibility of the people whose data was leaked,” she said.

“It’s not a bad thing to do but it detracts from the fact that once your identity documents are out there, you can’t do much but get it cancelled.”

She encouraged people to take advantage of offers to redo identity documents.

Optus is offering affected customers a year’s free subscription to a credit monitoring and identity protection service called Equifax Protect.

Dr Teague did note that Equifax was itself responsible for one of the world’s largest data breaches in 2017.

READ ALSO Is there a way to end distracted driving forever? UC psychologist trials new tool to find out

What about in the future?

Basically, think before you hand over identity documents and numbers to anyone.

“Avoid it as much as you can … and think about whether you can just say no,” Dr Teague said, although she acknowledged there are many circumstances where this is unavoidable.

Once again, she doesn’t think this should be the responsibility of the individual.

So, do we need regulations and laws to be changed?

According to Dr Teague, that’s a big yes.

“These problems are not going away while people remain under pressure to hand over their identity documents and numbers for ordinary, commercial transactions,” she said.

Instead of handing over identity documents, Dr Teague advocates for a system where documents and identifying numbers would be sighted, verified and not stored.

“That’s what identity documents were supposed to be for, but we’ve adopted this completely stupid protocol of identifying yourself over the internet by exposing all those numbers,” Dr Teague said.

What is law enforcement doing about all of this?

This morning (30 September), the Australian Federal Police (AFP), all state and territory police forces, the Australian Cyber Security Centre, Australian Banking Association, IDCARE and Customer Owned Banking Association announced they had set up Operation Guardian to help “shield affected customers” from the risk of identity crime and financial fraud.

For further information about the Optus data breach, visit Access Canberra.

Join the conversation

All Comments
  • All Comments
  • Website Comments

I discovered something I found interesting about Optus’ behaviour today.

Some years ago, when living at a different address, I had an iPad data SIM from Optus. I was confident I had never given them critical data (primary or secondary ID) for this, and Optus eventually wrote to say the same. As I mentioned elsewhere, I presume name, address and phone number are public knowledge. Remember telephone books?

However, I decided to look up to confirm they had an old address and whether it was correct that they held nothing else. My existing [secure] login ‘worked’ except I was then kicked out because I buy no current service from them. Yet, I know by other means that if I were to activate a service then they would reactivate my existing login, as is.

This seems wrong. If they retain login parameters then I should be able to log in and review or change any data, not reliant on whether I have an active service at the time. It is my private data, and it is not as if I could do anything else with such a login. Indeed, I should be able to delete even low-risk data entirely, subject only to the Federal 2-year metadata law.

I conclude that Optus has poor service, poor risk management and, from observing recent news, seems to believe that disaster management is about the public face ahead of crisis actions.

Phew, good to know that my account and password details haven’t been compromised, but a smart crim can steal my identity and financially ruin me with just a few numbers and letters off a driver’s licence

Daily Digest

Want the best Canberra news delivered daily? Every day we package the most popular Riotact stories and send them straight to your inbox. Sign-up now for trusted local news that will never be behind a paywall.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.