Optus hack victims charged for passport and licence number changes

Customers impacted by the Optus hack will have to pay if they want to change their passport. And when it comes to drivers licences, details are murky and vary from state-to-state.

The Optus hack resulted in a plethora of personal information being stolen from millions of customers. The most concerning has been licence and passport numbers due to their heightened ability to be used for fraud and identity theft.

When Optus started reaching out to impacted customers, it began with those who had licence and passport numbers stolen. According to the telco, it had finished contacting these customers on Monday.

“Optus has now sent email or SMS messages to all customers whose id document numbers, such as licence or passport number, were compromised because of the cyberattack,” Optus said in an email.

“We continue to reach out to customers who have had other details, such as their email address, illegally accessed.”

In a second email on Monday, Optus also announced it would be offering free credit monitoring for impacted customers through Equifax. 

“We are now taking a further step to help reduce the risk of identity theft. Optus is offering the most affected current and former customers whose information was compromised because of a cyberattack, the option to take up a 12-month subscription to Equifax Protect at no cost. Equifax Protect is a credit monitoring and identity protection service that can help reduce the risk of identity theft,” Optus said in an email.

If you cast your minds back to 2017, Equifax had one of the largest data breaches in history, resulting in the private records of more than 163 million being compromised.

This doesn’t seem to concern Optus.

“Following the 2017 U.S cyber attack on Equifax, the organisation has transformed its security program. The company invested $1.5 billion USD to build top-tier security and technology capabilities, hired more than 600 highly-skilled cybersecurity professionals to protect consumer data, and introduced next generation detection and response technology across our enterprise,” Optus said in an email to SmartCompany.

The telco also stated that “Equifax Australia and New Zealand systems were not compromised by the 2017 cyber security incident.”

So what’s going on with the passports impacted by the Optus hack?

As a result of the hack, many Optus customers have been keen to change their passports and licences as a safety measure. Considering that these documents can be valid for up to 10 years, this isn’t surprising.

But it’s also not the easiest or cheapest process.

The Australian Passport Office has an entire section of its website dedicated to the Optus hack. It mostly serves as an FAQ and a reminder that the Department of Foreign Affairs and Trade (DFAT) systems were not breached. It also assures people that it is still safe to use their passports and that no one else should be able to get a passport under their identity.

“We use robust controls that protect your passport from identity takeover, including sophisticated facial recognition technology,” the website reads.

However, it also states that if you do want to get a new passport off the back of the Optus breach, you’ll have to pay out of pocket. And probably wait awhile considering the ongoing passport issues in Australia.

The language used in the FAQ is quite pointed, stating that changing your passport is a choice.

“This is a personal decision for you to make. If you feel concerned about your current passport, you can renew it at any time in the usual way,” the website reads.

This stance is solidified further in the section title ‘If I get a new passport, will I have to pay for it?’

“Yes. If you choose to replace your passport, you’ll have to pay the application fee when you lodge your application.”

In Australia it costs $155 for a 5-year validity passport and $308 for a 10-year.

SmartCompany has reached out to DFAT for comment.

And what about driver’s licences?

Given that driver’s licences are state and territory issued, this seems to be a messier process. SmartCompany has spoken to sources from four different states so far that have reported different experiences in getting new licences.

New South Wales

NSW Customer Service Minister Victor Dominello has stated publicly that impacted customers should apply for new licences. Details on how to do this can be found over at the NSW government website.

“Behind the scenes, the NSW Department of Customer Service, Transport for NSW, Cyber Security NSW, ID Support and Registry of Births Death and Marriages — are working with Optus to make the process of re-issuing of NSW identity documents as seamless as possible,” Dominello said on LinkedIn on Tuesday.

Since then Dominello took to Twitter to confirm that NSW residents with a digital drivers licence “will have an interim card number issued instantaneously via the Service NSW app. A new plastic licence card will be issued within 10 business days.”

Interestingly, residents will be charged for the replace licence but reimbursement from is on table.

“The cost to replace your driver licence is $29 and will be charged by Service NSW at the time of application — reimbursement advice will be issued by Optus to customers in the coming days,” Dominello said on Twitter.

4. The cost to replace your driver licence is $29 and will be charged by Service NSW at the time of application – reimbursement advice will be issued by Optus to customers in the coming days.

— Victor Dominello (@VictorDominello) September 27, 2022

At the time of writing it is unclear whether residents from other states will also be able to have the cost of new licences reimbursed.

Victoria

VicRoads has now released a statement regarding the Optus breach.

“Anyone who is concerned about their licence details and has been notified by Optus that they have been involved in the breach can contact VicRoads to have their record flagged and request a replacement,” a VicRoads press release reads.

VicRoads is also pushing its flagging system as a first port of call for concerned customers.

“By flagging records the Department of Transport will prevent any unauthorised changes or access to individual information through the Victorian licence database. Records will also be flagged within the national database,” the press release states.

“The information contained within the licencing system is complex and changes requires multiple points of verification and links to other databases.”

It also says the VicRoads will “support impacted individuals who come forward wishing to have their license replaced”.

However, nothing has been said about whether the licence replacements will be free or applicable for reimbursement.

Prior to this announcement, Victorian residents could only apply for a new licence if an act of fraud has actually occurred.

“If you’ve been notified by an organisation that a data breach may have exposed your licence details, but no fraud has taken place, VicRoads will NOT be able to change a driver licence number,” VicRoads states in a pre-existing information sheet.

This matched the experience of at least on Optus customer from Victoria, who spoke to us before the above announcement.

“I tried in VIC and was REFUSED! Only if fraud was committed in my name would they ‘look’ into it,” a source told SmartCompany on social media.

Queensland

Queensland transport minister Mark Bailey has now announced free licence renewals for impacted residents.

“Good news for Queenslanders. New licences, with new numbers, with be provided free of charge to Queenslanders impacted by the Optus breach. Please attend a @TMRQld Customer Service Centre with documentation during open hours,” Bailey tweeted.

RE OPTUS HACK –

Good news for Queenslanders.

New licences, with new numbers, with be provided free of charge to Queenslanders impacted by the Optus breach.

Please attend a @TMRQld Customer Service Centre with documentation during open hours… 1/2

— Mark Bailey MP (@MarkBaileyMP) September 27, 2022

Prior to this, there wasn’t much information available on the Department of Transport and Main Roads (TMR) website, however it did mention the hack.

“If you’re concerned about the recent Optus data breach, you can find information about keeping your identity safe at Australian Cyber Security Centre. We are working with the relevant authorities to better understand if there are impacts to our customers,” the website reads.

SmartCompany also understand that prior to the new announcements, some Queensland residents were able to get new licences, but it was been a bit of work.

“The process itself is a headache, but at the very least the staff at TMR were helpful and I think that’s worth something,” the source told SmartCompany over text message.

“They told me that I need to file a police report, as well as fill out a statutory declaration explaining what happened. A stat dec needs to be witnessed by a JP, which wasn’t difficult to arrange but it’s still another step in the process.”

They also had to file a report with Australian Cyber Security Centre and provide that reference number with Queensland Police.

“So now I’ve got my letter from the police and a stat dec signed by a JP. I go into TMR this morning, fill them in on everything, and after making copies of those documents they issued me a new number in about 15 minutes. And I wasn’t charged anything either.”

Tasmania

The Tasmanian government has an info page regarding identity theft and compromised personal information.

“Where you are a victim of identity theft and your driver licence number has been compromised, the department can assist by issuing a new driver licence number,” the site reads.

The site confirms that you need evidence of the compromised information and will have to pay a $11.49 reissue fee.

“I’m in Tassie and thankfully it was super easy. I just forwarded them the email from Optus and they reissued my number in less than 2 hours,” a source said to SmartCompany on social media.

“But I did have to go and apply for a whole new licence and pay the fee again.”

South Australia

If you’re South Australian, we have a bit of good news for you. Not only can you get you licence changed, but the Department for Infrastructure and Transport has confirmed with us that it will be free.

“Any South Australians affected by the recent Optus data breach can change their driver’s licence number by attending a Service SA Centre,” a Department for Infrastructure and Transport spokesperson said in an email to SmartCompany.

“The standard $20 replacement fee will be waived for customers requiring a replacement licence as a result of the Optus data breach.”

ACT

The ACT government has had little to say at the present time.

“The ACT government is working through the issue of replacement driver licence cards for Canberrans who have had both driver licence numbers and card numbers compromised,” it said in a press release.

Northern Territory

The Department of Infrastructure, Planning and Logistics has now announced that impacted residents with a breach notice from Optus can obtain a new licence for free.

“The Territory Government is very aware of the anxiety this breach has created for Optus customers and we are doing what we can to help address the issue,” Minister for Infrastructure, Planning and Logistics, Eva Lawler, said in a statement.

“We can assist through prioritising licence replacements for affected residents and waiving fees.”

Western Australia

The Western Australian government has told us that it will be making an announcement soon.

“The state government is currently looking at all options to safeguard the identities of Western Australians that have been affected by the Optus data breach,” a Department of Transport spokesperson said in an email to SmartCompany.

 “The Department of Transport is working closely with Home Affairs and other Australian road agencies for confirmation of WA licence records that may have been affected by the breach.”