Optus data breach: Australians will be able to change their driver’s licence with telco to pay

Federal opposition wants commonwealth to allow people to get new passports for free too – and quickly

Australians caught up in a massive breach of Optus data will be able to change their driver’s licence numbers and get new cards, with the telco expected to bear the multimillion-dollar cost of the changeover.

The New South Wales, Victoria, Queensland and South Australia governments on Tuesday evening began clearing the bureaucratic hurdles for anyone who can prove they are victims of the hack, which has affected millions of people.

The alleged Optus hacker’s release of 10,000 customer records has made the need for those affected to replace identity documents urgent, experts say.

Toby Murray, an associate professor in cybersecurity at the University of Melbourne, said the release of data revealed some individuals had multiple documents compromised – which would exceed the 100 points of identification required to prove someone’s identity for organisations such as Centrelink or a police check.

“For those people, they are very much at risk now as a result of the events today,” Murray said on Tuesday. “If I were them, I would certainly be starting the process to change my driving licence number or my Medicare card number.”

The NSW customer service minister, Victor Dominello, has “strongly advised” customers notified by Optus that their driver’s licence details had been compromised to apply for a replacement.

NSW will charge a $29 replacement fee, which it said will be reimbursed by Optus.

Victorians will also get “free” licence number replacements and the chance to flag their licence record in case of future fraud.

“We will request Optus repays the cost of the new licences to the Victorian government,” a spokesperson said.

Similar arrangements are being made in other states and territories and the cost to Optus could run into the tens of millions of dollars.

How hard is it to replace identity documents?

While many Optus customers want to replace their identity documents, not everyone will have the time and funds available to do so.

Murray said while changing your Medicare card number is relatively straightforward, driver’s licences and passports are more challenging.

Murray said those wanting to change their passports would probably have to wait more than three months due to ongoing Covid-19 delays.

He said it was not only difficult for many to find the time to make the application, but the cost involved would be significant for those struggling financially.

The Coalition says the Australian government should cover the cost of new passports for affected Optus customers.
The Coalition says the Australian government should cover the cost of new passports for affected Optus customers. Photograph: Patrick T Fallon/AFP/Getty Images

The Department of Foreign Affairs and Trade (Dfat) said on its website there was no breach of its own systems and passports were still safe to use for travel.

On Tuesday night, the opposition called on the federal government to waive replacement passport fees and expedite processing times.

“Victims of the Optus cyber hack should not have to wait or pay significant amounts of fees to secure their personal information, and obtain a new passport,” Coalition senators Simon Birmingham and James Paterson said in a statement.

“While Optus must take responsibility for what may be the largest data breach in Australian history, the Albanese government has a responsibility to help Australians take steps to protect their personal information and security.”

How do you replace your driver’s licence?

Victorians can normally only apply for a new licence if there is evidence fraud has occurred. But a spokesperson for the state’s transport department said on Tuesday that affected Victorians could replace their licence online and the department was requesting that Optus pay.

Anyone notified by Optus that their license details had been breached can contact VicRoads to have their license record flagged and request a replacement.

“By flagging records the Department of Transport will prevent any unauthorised changes or access to individual information through the Victorian licence database,” the department said.

“Records will also be flagged within the national database. We are also reviewing our policies to determine whether replacing licences might be appropriate in this case.”

Flagging an account doesn’t prevent people using licence information for third-party reasons like applying for bank accounts.

To get a new licence number in NSW, customers can apply for a replacement via the Service NSW app, Dominello confirmed on Tuesday afternoon.

“Optus will contact customers in coming days to confirm whether or not they need to apply for a replacement driver licence,” he said.

An interim card number will be instantaneously issued before a plastic licence card is delivered within 10 business days.

Applicants will have to front the $29 replacement fee but “reimbursement advice will be issued by Optus to customers in the coming days”.


1. Firstly I am sorry it has taken several days to reach this landing. People are understandably stressed and need a pathway forward. pic.twitter.com/LYcGSU4dFJ

— Victor Dominello MP (@VictorDominello) September 27, 2022

Dominello apologised for the pivot, which took “several days” to reach.

Previously, customers in NSW had to “report the theft or incident to police and obtain a police event or ReportCyber receipt (CIRS) number” and then complete a replacement form, which led to backlash from angry customers.

“Customers who have had both their driver licence number and associated card number compromised are expected to be contacted by Optus in coming days and are strongly advised to apply for a replacement licence as soon as possible,” Service NSW said.

In Tasmania and South Australia, customers can change their driver’s licence number by attending a service centre.

The South Australian State Government will waive the usual replacement fee for South Australians requiring a new driver’s licence as a result of the recent Optus data breach.

— Peter Malinauskas (@PMalinauskasMP) September 27, 2022

In Queensland, the transport minister, Mark Bailey, tweeted new licences would be provided to people affected as long as they had a data breach notice from Optus or another enforcement agency.

“Should our customers be concerned their driver licence number (also known as customer reference number) has been used for fraudulent activity, they should immediately contact the Queensland police,” the Queensland department of transport said.


Good news for Queenslanders.

New licences, with new numbers, with be provided free of charge to Queenslanders impacted by the Optus breach.

Please attend a @TMRQld Customer Service Centre with documentation during open hours… 1/2

— Mark Bailey MP (@MarkBaileyMP) September 27, 2022

Guardian Australia has contacted the responsible departments in Northern Territory, Western Australia and the Australian Capital Territory.

Who’s going to pay?

Optus has said it will offer “the most affected current and former customers” free credit monitoring for up to 12 months via a subscription to Equifax Protect.

Murray believes it would be appropriate for Optus to bear the additional costs customers are facing, especially the 10,000 whose data was released this morning, because those individuals do not have a choice but to change identity documents.

“Anything Optus can do to assist them I think is appropriate given that ultimate responsibility for this breach rests with Optus and with those who carried out the breach,” Murray said.

However, Murray said right now the onus was “very much on individuals … to manage their own security and to mitigate the impacts of this breach.”

The state of privacy regulation in Australia means companies are “just not that liable at the moment for these kinds of breaches”, Murray said.

“We don’t have a strong culture yet in this country of companies who are breached, assisting individuals to respond to them.”.

Ben Zocco, a class actions senior associate at law firm Slater and Gordon, said the offer of credit monitoring for those most affected was a Band-Aid solution.

“It does not address the continuing risk that customer data may be used by bad actors for identity theft or contacting vulnerable members of the community, such as domestic violence survivors, victims of stalking and other threatening behaviour, or asylum seekers.

“We are continuing to investigate available legal options for affected customers.”

– with Australian Associated Press


Natasha May

The GuardianTramp

Related Content

Article image
Purported Optus hacker releases 10,000 records including email addresses from defence and prime minister’s office
Optus CEO says federal police are ‘all over’ post with ultimatum demanding $1m within four days after massive data breach

Natasha May and Josh Taylor

27, Sep, 2022 @1:32 AM

Article image
Optus tells former Virgin Mobile and Gomo customers they could also be part of data breach
Identification repair service receives a month’s worth of complaint calls in three days as government pressures telco to pay for replacement ID documents

Josh Taylor

29, Sep, 2022 @5:32 AM

Article image
Optus cyber-attack: how do you know if your identity has been stolen and what will happen to your data?
If you are an Optus customer, this is what you need to know

Josh Taylor

23, Sep, 2022 @8:00 PM

Article image
Optus customers exasperated by chatbots and ‘rubbish’ communication after data breach
Some customers look to switch providers after puzzling responses and ‘less than helpful’ service

Josh Taylor

26, Sep, 2022 @5:30 PM

Article image
Optus cyber-attack could involve customers dating back to 2017
CEO says company has not yet confirmed how many people were affected by hack, but 9.8 million was ‘worst case scenario’

Josh Taylor

23, Sep, 2022 @3:04 AM

Article image
Optus data security breach: what should I do to protect myself?
Experts say while ‘there’s no need to panic’, there are steps you can take to ensure you’re not exposed to scams or identity theft

Natasha May

26, Sep, 2022 @6:44 AM

Article image
Optus data breach: who is affected, what has been taken and what should you do?
After a malicious cyber-attack, customers of Australia’s second-largest telco are advised they could be at risk of identity theft

Ben Doherty

22, Sep, 2022 @8:31 AM

Article image
Customers’ personal data stolen as Optus suffers massive cyber-attack
Personal information of potentially millions of customers exposed, including names, dates of birth, addresses, and contact details

Ben Doherty

22, Sep, 2022 @5:14 AM

Article image
Government flags new cybersecurity laws and increase in fines after Optus breach
Clare O’Neil says penalties for telcos are ‘totally inappropriate’ and data breach was ‘significant error’

Sarah Martin and Paul Karp

26, Sep, 2022 @5:30 PM

Article image
Anthony Albanese says ‘Optus should pay’ for new passports for data breach victims
Push comes day after states suggest telco will pick up multi-million dollar tab for replacing driver’s licences of affected customers

Josh Butler and Ben Butler

28, Sep, 2022 @9:57 AM