Australians caught up in a massive breach of Optus data will be able to change their driver’s licence numbers and get new cards, with the telco expected to bear the multimillion-dollar cost of the changeover.
The New South Wales, Victoria, Queensland and South Australia governments on Tuesday evening began clearing the bureaucratic hurdles for anyone who can prove they are victims of the hack, which has affected millions of people.
The alleged Optus hacker’s release of 10,000 customer records has made the need for those affected to replace identity documents urgent, experts say.
Toby Murray, an associate professor in cybersecurity at the University of Melbourne, said the release of data revealed some individuals had multiple documents compromised – which would exceed the 100 points of identification required to prove someone’s identity for organisations such as Centrelink or a police check.
“For those people, they are very much at risk now as a result of the events today,” Murray said on Tuesday. “If I were them, I would certainly be starting the process to change my driving licence number or my Medicare card number.”
The NSW customer service minister, Victor Dominello, has “strongly advised” customers notified by Optus that their driver’s licence details had been compromised to apply for a replacement.
NSW will charge a $29 replacement fee, which it said will be reimbursed by Optus.
Victorians will also get “free” licence number replacements and the chance to flag their licence record in case of future fraud.
“We will request Optus repays the cost of the new licences to the Victorian government,” a spokesperson said.
Similar arrangements are being made in other states and territories and the cost to Optus could run into the tens of millions of dollars.
How hard is it to replace identity documents?
While many Optus customers want to replace their identity documents, not everyone will have the time and funds available to do so.
Murray said while changing your Medicare card number is relatively straightforward, driver’s licences and passports are more challenging.
Murray said those wanting to change their passports would probably have to wait more than three months due to ongoing Covid-19 delays.
He said it was not only difficult for many to find the time to make the application, but the cost involved would be significant for those struggling financially.
The Department of Foreign Affairs and Trade (Dfat) said on its website there was no breach of its own systems and passports were still safe to use for travel.
On Tuesday night, the opposition called on the federal government to waive replacement passport fees and expedite processing times.
“Victims of the Optus cyber hack should not have to wait or pay significant amounts of fees to secure their personal information, and obtain a new passport,” Coalition senators Simon Birmingham and James Paterson said in a statement.
“While Optus must take responsibility for what may be the largest data breach in Australian history, the Albanese government has a responsibility to help Australians take steps to protect their personal information and security.”
How do you replace your driver’s licence?
Victorians can normally only apply for a new licence if there is evidence fraud has occurred. But a spokesperson for the state’s transport department said on Tuesday that affected Victorians could replace their licence online and the department was requesting that Optus pay.
Anyone notified by Optus that their license details had been breached can contact VicRoads to have their license record flagged and request a replacement.
“By flagging records the Department of Transport will prevent any unauthorised changes or access to individual information through the Victorian licence database,” the department said.
“Records will also be flagged within the national database. We are also reviewing our policies to determine whether replacing licences might be appropriate in this case.”
Flagging an account doesn’t prevent people using licence information for third-party reasons like applying for bank accounts.
To get a new licence number in NSW, customers can apply for a replacement via the Service NSW app, Dominello confirmed on Tuesday afternoon.
“Optus will contact customers in coming days to confirm whether or not they need to apply for a replacement driver licence,” he said.
An interim card number will be instantaneously issued before a plastic licence card is delivered within 10 business days.
Applicants will have to front the $29 replacement fee but “reimbursement advice will be issued by Optus to customers in the coming days”.
Dominello apologised for the pivot, which took “several days” to reach.
Previously, customers in NSW had to “report the theft or incident to police and obtain a police event or ReportCyber receipt (CIRS) number” and then complete a replacement form, which led to backlash from angry customers.
“Customers who have had both their driver licence number and associated card number compromised are expected to be contacted by Optus in coming days and are strongly advised to apply for a replacement licence as soon as possible,” Service NSW said.
In Tasmania and South Australia, customers can change their driver’s licence number by attending a service centre.
In Queensland, the transport minister, Mark Bailey, tweeted new licences would be provided to people affected as long as they had a data breach notice from Optus or another enforcement agency.
“Should our customers be concerned their driver licence number (also known as customer reference number) has been used for fraudulent activity, they should immediately contact the Queensland police,” the Queensland department of transport said.
Guardian Australia has contacted the responsible departments in Northern Territory, Western Australia and the Australian Capital Territory.
Who’s going to pay?
Optus has said it will offer “the most affected current and former customers” free credit monitoring for up to 12 months via a subscription to Equifax Protect.
Murray believes it would be appropriate for Optus to bear the additional costs customers are facing, especially the 10,000 whose data was released this morning, because those individuals do not have a choice but to change identity documents.
“Anything Optus can do to assist them I think is appropriate given that ultimate responsibility for this breach rests with Optus and with those who carried out the breach,” Murray said.
However, Murray said right now the onus was “very much on individuals … to manage their own security and to mitigate the impacts of this breach.”
The state of privacy regulation in Australia means companies are “just not that liable at the moment for these kinds of breaches”, Murray said.
“We don’t have a strong culture yet in this country of companies who are breached, assisting individuals to respond to them.”.
Ben Zocco, a class actions senior associate at law firm Slater and Gordon, said the offer of credit monitoring for those most affected was a Band-Aid solution.
“It does not address the continuing risk that customer data may be used by bad actors for identity theft or contacting vulnerable members of the community, such as domestic violence survivors, victims of stalking and other threatening behaviour, or asylum seekers.
“We are continuing to investigate available legal options for affected customers.”
– with Australian Associated Press