Optus data breach: what to do to safeguard yourself against identity theft

(Image credit: SOPA Images / LightRocket via Getty Images)

The Optus data breach exposed the records of 9.8 million current and former customers, and Optus has confirmed that 2.1 million customers had critical identity documents stolen in the hack, including the ID numbers of passports, driver’s licences and Medicare cards.

On September 27, an anonymous online account claimed that it had deleted the stolen data and no longer planned to sell it, but this change of heart came after the hacker had already leaked the records of 10,000 Optus customers online.

Optus is now working with the Australian Federal Police (AFP) and other agencies to identify the 10,000 individuals who are at heightened risk of identity fraud, a process which is still ongoing at this point.

Regardless of whether you’re in that group, if you’re one of the millions impacted by the Optus data breach you should make it an urgent priority to take steps to safeguard yourself. Here’s what you can do to prevent identity theft.

Jump to: Driver’s licence replacement
Jump to: Passport replacement
Jump to: Medicare number replacement
Jump to: Sign up to Equifax

Driver’s licence replacement

Customers in all states and territories that were contactable have been notified if their driver’s licence was breached
Customers that didn’t have valid contact details have been sent a letter to their last known mailing address
Read our guide on how to get a new Australian driver’s licence

As of October 17, Optus has confirmed that it’s contacted individuals from all states and territories who have had their driver licence number and card number stolen – but that’s only if their contact information was up-to-date.

For the impacted customers that Optus didn’t have valid contact information for, the telco says it is contacting them by mail, to the last address it has on file.

We have a dedicated guide on how to get a new Australian driver’s licence in each state and territory. If you have a driver’s licence from NSW or the ACT, you’ll only need to replace your licence if both the card number and licence number have been compromised. You can get specific guidance from your state or territory’s licence issuer below:

Passport replacement

Apply online: Australian Passport Office
Lodge in-person: Australia Post
How to get a passport when overseas

Optus has stated that 150,000 passport numbers were exposed in the Optus breach. The Australian Passport Office (APO) has now advised that impacted individuals do not need to replace their Australian passport, and it is still safe to use for travel.

This is because Optus has provided the stolen passport numbers to the Documentation Verification Service (DVS), meaning they can no longer be used to verify your identity online.

The DVS is used by banks and government departments such as Centrelink to check your identity, so by blocking stolen passport numbers in the DVS, affected Aussies are at a lower risk of identity fraud. Affected customers are still able to verify their identity in person using their passport.

While those who had their passport number stolen in the Optus hack are no longer required to renew their passport, Optus says there are “specific circumstances” where it will cover the cost of replacing passports for those who are still concerned.

Optus says it’s finalising the process for reimbursing passports, and will have more information available next week. If you had your New Zealand or international passport exposed in the cyberattack, head directly to Optus’ passport information page.

More details on how the Optus data breach affects passports is available on the APO’s website.

Medicare number replacement

Apply online: myGov’s Medicare portal
Apply through app: Express Plus Medicare app
Call: 132 011

Medicare numbers of Optus customers have also been exposed by the data breach. On October 7, the telco announced that more Medicare ID numbers had been exposed than originally thought.

Optus’ revised numbers identified 17,000 valid Medicare ID numbers that have not expired were stolen in the hack – that’s an additional 2,100 more than first reported. A further 26,000 expired Medicare card numbers were also taken, which is 4,000 more than first thought.

Only Optus customers who used their Medicare card to verify their identity have had this data exposed, and the telco says it’s communicated with all contactable customers who were impacted.

You can go to Services Australia to get a new Medicare card number. Replacing your Medicare card in this way will give you an almost-identical Medicare number as you did previously, and only the last digit will change.

If you had other ID documents stolen such as your passport or driver’s licence, along with your Medicare card number, then you’re likely at a higher risk of identity fraud. You can apply for a completely new card number on the Services Australia website through an MS011 form.

More information on how the Optus data breach affects Medicare cards is available on the Services Australia website.

Hand holding Australian passport — (Image credit: Atstock Productions / Getty Images)

A subscription-based credit monitoring service
Eligible exposed users can claim a free 12-month subscription
You will be contacted by Optus if you’re eligible

Optus has stated that it’s providing a free 12-month subscription of Equifax Protect to eligible current and former customers. Equifax Protect is a credit monitoring and identity protection service, which can be used to help protect your credit profile and identity.

You’ll be eligible if you’ve had one or more of your identity numbers stolen, along with information such as your name, date of birth, email address and phone number. Optus will contact you directly if you’re eligible.

Once you’ve been contacted by Optus, you can register for your free Equifax Protect subscription on the Equifax website. Optus is not including any links in its emails or text messages to customers – if you receive any links in communication claiming to be from Optus, it is a phishing attempt.

It appears as though Equifax has been overwhelmed by Optus customers looking to register, as its website now says it’s “currently experiencing unprecedented high call volumes and wait time” following the cyberattack. For the quickest Equifax advises that requesting a ban on your credit report is one of the easiest ways to safeguard yourself against identity theft.

Class action lawsuit: consider registering with Slater and Gordon or Maurice Blackburn

Australian law firm Slater and Gordon is currently looking into a class action lawsuit against Optus. The law firm says it’s researching potential compensation for Optus customers who have been impacted by the data breach. It’s in the early stages, but you can register for updates on the investigation on the Slater and Gordon website.

Maurice Blackburn is also looking into potential class action against Optus following the data breach. It says it’s investigating potential legal action and compensation for affected customers, and you can register to receive updates on the Maurice Blackburn website.

My identity documents weren’t exposed – what should I do?

While some 2.1 million Optus customers had sensitive identity numbers compromised, almost 8 million others had less critical information exposed, such as name, date of birth, email address and phone number.

Optus will let you know if you’re in this subset of customers, and while it’s unlikely you’ll need to replace your driver’s licence or passport, you’re still potentially at risk of scams and phishing attempts – be extra wary of unknown people contacting you.

For more information on how to protect yourself after the Optus data breach, go to these websites:

Australian Cyber Security Centre (ACSC) – government website
Office of the Australian Information Commissioner (OAIC) – government website
ScamWatch – government website
IDCare – not-for-profit charity, Australia’s cyber support service
MoneySmart – government website

Should you switch from Optus?

If you’re a current customer looking to change mobile or internet providers, we have an in-depth guide on how to switch from Optus. Whether or not you’re able to switch from Optus without facing any exit fees or device repayments comes down to the terms of your current contract, so check that first before making any decisions.

There’s no way for us to know if Telstra, Vodafone or smaller telcos have similar weaknesses to Optus, but you might be ready to take your money elsewhere regardless. For recommendations on which provider to switch to, we have curated guides to the best NBN plans and best SIM-only plans to help you find an alternatives to Optus.

Staying with Optus could have some benefit though – the telco is very keen to retain its customers following the fallout, and we’ve learned some existing Optus customers have received a 15% discount on their plan for staying.

Optus data hacker backflips on ransom demand, apologises to users

Jasmine Gearie is an Ecommerce Editor at TechRadar Australia, with a primary focus on helping readers cut through the jargon to find the best mobile and internet plans for their needs. She crunches the numbers to maintain dedicated guides to the latest phones, NBN and broadband plans of all types, and covers the important telco industry news. She also hunts down tech deals on laptops, phones, gaming consoles and more, so readers know where to buy the products they want for the cheapest prices.

See more Phone How Tos