Optus Data Breach: How to update your information and protect yourself
Up to 10 million customers were affected by a massive Optus data breach this week, with personal information – including names, email addresses, Medicare numbers and driver’s licence numbers – stolen. As a result, you may need to update some of your cards and details.
More than 10,000 people have had their personal data released publicly as part of a ransom threat so far. Although the alleged hacker has said they will not release more data, it is difficult to confirm what data is safe while they remain anonymous.
Optus says it is contacting affected customers throughout the week and they are also working with “a number of organisations” to deliver additional protection.
“The Australian Cyber Security Centre has provided advice for those current and former customers who have been impacted on their website, cyber.gov.au,” Optus said via an online statement.
“The ACSC’s 1300 CYBER1 hotline also provides advice and referral information to those impacted.”
Optus also recommends people contact reputable sources for information and advice, including Moneysmart, ID Care, and the Office of the Australian Information Commissioner.
Additionally, Optus has reaffirmed it will never send hyperlinks through email or SMS notifications, and if any customer does receive an email or SMS with a link claiming to be from Optus, do not click on it.
If you are concerned about identity theft, there are several steps you can take to update some personal information.
What information was stolen?
Optus has confirmed that the following personal information was taken by the hacker:
- Names
- Dates of birth
- Email addresses
- Postal addresses
- Phone numbers
- Passport numbers
- Driver’s licences
- Medicare numbers
Optus says that no financial information, including credit card details or bank account details, have been compromised.
While some information, such as your name and home address, cannot be altered, there are ways for you to update and protect other details like your Medicare number and driver’s licence.
This is what you can do if your information was stolen during the Optus data breach.
How to change your driver’s licence
Optus requires customers to provide their driver’s licence number as proof of identity when signing up for a mobile or internet plan.
More recently, Optus has also asked for the driver’s licence card number – that is a number located on the back of your licence – as additional verification.
All States and Territories have announced they will provide new licence cards for people affected by the Optus data breach. You are required to provide evidence that you have been affected, such as direct communication from Optus in the form of a notification email.
Replacement card fees will either be waived or can be covered by Optus, who has said they will pay for replacement cards. Optus will provide advice on how the reimbursement process occurs.
As there are differing methods in each State or Territory, it is important to pay close attention to your relevant Government instructions. Some service branches are extending their hours to ensure victims can get their new licences fast tracked.
Australian Capital Territory – The ACT Government has said that you will only need to replace your licence if you are contacted by Optus. If you receive no communication, you do not have to replace it.
If you do require a new licence, you can apply online via the Access Canberra website, in person at any Access Canberra Service Centre, or over the phone with the Access Canberra Resolution and Support Team on 13 22 81.
New South Wales – The NSW Government is working with Optus to provide assistance for impacted customers that have been notified of a data breach.
If Optus has contacted you, you can replace your driver’s licence online through Service NSW, in person at any Service Centre, or over the phone on 13 77 88. You will have to pay an upfront replacement fee which can be reimbursed by Optus.
Northern Territory – The NT Government has waived replacement fees, so if you have been affected you can visit a Motor Vehicle Registry (VHR) centre with your Optus notice. Regional and remote Territorians can phone the NVR on 1300 654 628.
Queensland – The QLD Government will replace driver’s licences free of charge. You will have to visit a Transport and Main Roads customer service centre with proof of communication by Optus. You can phone them on a dedicated priority hotline for additional information on 07 3097 3108.
South Australia – The SA Government has also waived licence replacement fees. You can attend any Service SA centre to apply for a change of licence with proof of contact by Optus. Additional support is available over the phone on 13 10 84.
Service SA branches have extended their hours to assist Optus customers who were impacted by the data breach.
Tasmania – If your licence number is compromised, the Tasmanian Government will issue a new licence number if you provide proof of contact from Optus. There is no charge. You can attend any Service Tasmania service centre or support is available over the phone on 1300 135 513.
Victoria – A dedicated application process has been set up by the Victorian Government for impacted Optus customers.
You can fill out the appropriate form online through VicRoads which will ensure your licence number is flagged if any unauthorised use occurs. You can also phone VicRoads for more advice on 13 11 71.
Western Australia – The WA Government asks that you attend a Department of Transport service centre or regional agent to apply for a new licence, free of charge. A notice of breach by Optus is required. You can also phone the WA Department of Transport for advice on 13 11 56.
How to change your passport
If you have used your passport as proof of identity with Optus, the good news is that no one can travel using those leaked details. However, the information can still be used for identity theft.
If you are interested in cancelling or replacing your passport, more information is available online via the Australian Government’s Australian Passport Office website. You can also replace a passport by:
- Accessing the online passport replacement portal
- Picking up a replacement form your Australia Post outlet
- Contacting a relevant Australian diplomatic or consular mission
Currently Optus is not covering the cost of replacing passports, which is $193. Foreign Affairs Minister Penny Wong has written to Optus requesting they pay for replacement customer passports.
Prime Minister Anthony Albanese also says the Government is clear that taxpayers should not have to “pick up the bill here”.
It is also possible that Optus will cover the replacement fees if asked, although no confirmation has been given by the telecommunications provider as of yet.
How to change your Medicare card
Optus has revealed that almost 37,000 Medicare ID numbers have been impacted by the data breach. Close to 15,000 are still valid and have not expired.
“All of the customers who have a Medicare card that is not expired will be contacted within 24 hours,” Optus said via a statement.
“There are a further 22,000 expired Medicare card numbers [that have been] exposed.
“Out of an abundance of caution, [cardholders] will also be contacted directly over the next couple of days.
“Please be assured that people cannot access your Medicare details with just your Medicare number. If you are concerned or have been affected, you can replace your Medicare card as advised by Services Australia.”
Although your Medicare details cannot be accessed, it is possible that the information can be used for identity theft.
Several options are available if you want to replace your Medicare card, including:
- Phoning the Medicare program on 13 20 11
- Using Medicare online via MyGov
- Using your Express Plus Medicare mobile app
If you believe your Medicare card has been used for identity theft or is related to a scam, you can also call Services Australia’s Scams and Identity Theft Help Desk on 1800 941 126.
Update important passwords
Some of the details taken by the hacker could be used to get into important accounts, like your bank accounts or other financial related services.
It is vital that you update these passwords to more secure options, especially if you use any combination of a birthday or address in your password.
For a strong password, you can create a password using letters, numbers and symbols. For example, ‘shoebox’ becomes ‘$ho3b*x’.
You could also convert a phrase into an acronym, so ‘the quick brown fox jumps over the lazy dog’ becomes ‘Tqbfjotld!’, or string together a phrase such as ‘Quickbr0wnfox!’.
It is also recommended that you reinforce existing accounts with an updated password or multi-factor authentication where possible.
What other options are available?
If your information has been taken, you can also sign up for a 12-month subscription to Equifax Protect, a credit monitoring and identity protection service.
Optus will contact you to offer the service, or you can request it if your data has been breached. They will provide you with a code for the free subscription.
Equifax Protect normally costs $14.95 per month, and you will be charged if you do not cancel the subscription after the 12 month period ends.
It is also possible to create a new email account or sign up to a new phone provider with a new phone number, if you choose. However, you will have to update all accounts, subscriptions, contacts, and more with your new email and phone number if changes are made.
To learn more about the rise of scams, and how you can stay vigilant, read our informative guide ‘Being wary of scams and sharing your personal information‘.
Have you been affected by the Optus data breach? Tell us about your experience in the comments below.