Key Points
- Optus customers who had their details stolen in a cyber attack are being contacted by the telco.
- Here's what you should do if you received a message.
Optus has revealed more than 2.1 million customers have had their ID documents exposed after the massive data breach.
In a statement released on Monday afternoon, the telco confirmed the stolen data did not contain valid or current document ID numbers for about 7.7 million individuals or businesses.
About 1.2 million of the ID numbers stolen, which include driver's licences, are current.
An additional 900,000 customers have had numbers from expired documents comprised.
Over the weekend, customers received text messages informing them their licence number was accessed during the hack, with limited details on whether they should be concerned or what to do next.
"Cyberattack update: Confirming only the licence number on your Driver Licence was exposed, not the card number," one message seen by SBS News read.
"Your State or Territory government will provide advice on any action that you may need to take via their website."
What do the messages from Optus mean?
An Optus spokesperson told SBS News the company has communicated with customers who have had their driver licence number and/or card number exposed in NSW, ACT, SA, NT, WA and Tasmania.
"We continue to work with the State governments for individuals that hold driver licences in Victoria and Queensland and will provide advice as soon as possible," the spokesperson said.
"Following discussion with our federal, and individual state and territory governments, current and former customers are encouraged to get updates on how best to manage any driver licence concerns via their state or territory government’s official website or driver licence issuing office."
In addition to the valid identification being compromised, Optus confirmed approximately 900,000 customers have had numbers relating to expired IDs compromised, in addition to personal information.
Following data analysis with government agencies, the telco said a further 7.7 million customers had details such as email address, date of birth or phone numbers exposed. However valid or current document ID numbers for those 7.7 million customers were not exposed.
Optus repeated a reminder for these customers to remain vigilant and check written communications carefully.
"We will not send links or request information, like passwords, in the communications we send our customers about the cyberattack," the spokesperson said.
"Scammers will often send from legitimate-looking email addresses, so if in doubt, customers should double check by clicking on the name and checking the sender address."
Queensland transport and main roads minister Mark Bailey said in the first two days alone, more than 16,000 new licence number requests were processed in the state, compared with the previous average of 30 per week, along with 3,400 calls received through the dedicated hotline.
"Optus need to be open and transparent with their customers on exactly what information has been impacted by this privacy botch up, and reveal the true number of people involved," he said.
What do you need to do, and will you have to pay?
If a customer's licence number and licence card number have both been exposed, Optus is strongly recommending a replacement driver licence.
The company says it will contact all impacted customers to advise them whether they need to replace their driver licence.
Depending on the state or territory in which your licence is issued, the cost of replacing your driver licence will either be waived, or Optus will automatically credit customers an amount equal to the cost of the replacement to their Optus account or for former customers, via cheque.
"If customers have not been advised by Optus to replace their licence, then there is no need to do so," the spokesperson said.
"We will only be crediting customers whom we recommend replace their licence."
For customers who need to organise a new licence, Optus is directing people to contact their relevant state or territory departments, with the instructions varying in different jurisdictions.
Here's the latest advice and comments.
Customers have been receiving messages from Optus informing them their licence number has been exposed in the data breach. Source: Supplied / SBS
You will need to visit a Customer Service Centre and provide either an Optus data breach email or written notification from an enforcement authority, along with evidence of identity.
The replacement licence will be offered free of charge. Queensland will be adopting the two-step authentication system in 2023.
NSW: On 1 September, weeks before the 22 September Optus breach, the NSW government implemented a security measure meaning organisations wishing to verify someone's identity needed both the licence and card number of a NSW licence.
"NSW has implemented the national Document Verification Service (DVS) which means both a driver licence number and a driver licence card number are required to verify identity, creating a higher level of security for customers," a spokesperson for the Department of Customer Service told SBS News.
"Customers who have received direct advice from Optus to replace their licences are encouraged to request a replacement licence. Other customers are not required to replace their driver licence."
The government said it would charge $29 for a replacement licence and Optus would provide reimbursement advice to affected customers in coming days.
Victoria: On Monday, a VicRoads spokesperson told SBS News Optus had not yet provided it with the full data regarding all customers who may have been affected.
In Victoria there is only a licence number, and not a separate card number, which means the department will need to replace licences, not just cards.
The Department of Transport and VicRoads has created for concerned customers to request to have their Victorian driver licence record flagged and protected.
By Monday afternoon, more than 145,000 customers had registered.
Customers do not need to attend a centre or arrange a new photo. Using existing customer photos stored within the secure VicRoads database provides an additional layer of identity protection.
The Victorian Government has asked Optus to pay for the cost of replacing the licences of all Victorians caught up in their data breach.
ACT: For those in the ACT, a government spokesperson told SBS News people who receive a text message from Optus confirming that only their licence number was compromised do not need to replace their licence.
In the ACT, your driver licence number stays with you for life, while your driver licence card number changes each time your card is reprinted.
The cost of a replacement licence is $42.60 which will be charged upon application. If Optus has recommended to you that your licence needs to be changed, then they will also process this as a credit on your next bill.
Tasmania: Tasmanian licences have a licence number and personal information cards have a card number.
The ordinary fee of $11.49 will be waived for those Tasmanian motor vehicle licence holders who can demonstrate that they have had both the licence number and the card number disclosed by the Optus data breach.
Optus says it is contacting all impacted customers to advise them whether they need to replace their driver licence following a massive data breach. Source: AAP / Bianca De Marchi
Those impacted by the Optus data breach can visit any Service Tasmania Shop to arrange a new licence number and a replacement licence card.
South Australia: South Australians advised by Optus that their licence number has been compromised are encouraged to change their licence number by attending a Service SA Centre.
The standard $20 replacement fee has been waived for customers requiring a replacement licence as a result of the Optus data breach, with the government seeking reimbursement of any taxpayer liability from Optus.
Once a customer's request for a replacement licence has been processed, a new licence number will be issued and a new licence card identification number will also be provided when the physical card is produced and mailed to them.
In Western Australia: New driver’s licence cards with new licence numbers will be issued to those who have been informed by Optus that their driver’s licence information has been compromised as part of the breach.
Those impacted will need to attend a DoT transport service centre or regional agent to apply for a new driver’s licence number and replacement licence card
You will need to fill in an Application for New Licence Number form, and present it with WA Government-issued photographic identity document, primary and secondary proof of identity, and your notification from Optus.
Northern Territory: According to the government, Northern Territory licences include two unique identifiers, with both of these required for the data to be used in identity fraud.
Customers who had both numbers stolen are strongly advised to apply to have their licence cancelled and re-issued, while those who had only their licence number stolen may are also welcome to have their licence cancelled and re-issued if they are feeling concerned.
Breach notices for impacted customers will need to be presented when obtaining a new licence and fees will be waived by the Northern Territory government.
Optus commissions independent external review
Meanwhile, Optus announced on Monday it is appointing international professional services firm Deloitte to conduct an independent external review of the recent cyberattack as well as its security systems, controls and processes.
Optus CEO Kelly Bayer Rosmarin recommended Deloitte to conduct an independent external review of of Optus and its security systems, controls and processes. Source: AAP / SUPPLIED/PR IMAGE
As part of the review, Deloitte will undertake a forensic assessment of the cyberattack and the circumstances surrounding it.
Ms Bayer Rosmarin said the forensic review would play a crucial role in the response to the incident for Optus, as it works to support customers.
'Extraordinary' lack of communication
Earlier, Cabinet minister Tanya Plibersek criticised Optus for not being more forthcoming about the full nature of the breach.
"One of the real problems is the lack of communication by Optus, both with its customers and the government," she told the Seven Network on Monday.
"I don't think the company is doing a particularly good job with its customers or providing the government with the information we need to keep people safe.
Former home affairs minister Karen Andrews said the government's response to the breach had also been inadequate.
While she did not absolve Optus from its corporate responsibilities, Ms Andrews said the government had "failed quite dismally" in its response.
"The federal government funds an organisation called IDCARE which is ready, willing and able to assist people who have had their identity stolen and could have provided advice to Optus customers," she told ABC Radio National.
She said the breach was a "wake-up call" for all of corporate Australia about the importance of data protection.
- With AAP.
