Optus Data Breach
If you think you may be affected by the recent Optus data breach contact Optus Customer service on 133 937. For more information, see Optus Data Breach ↗.
You should also:
- Secure and monitor your devices and accounts for unusual activity, and ensure they have the latest security updates.
- Enable multi‑factor authentication for all accounts.
- If you need assistance with taking these steps, visit the Australian
Cyber Security Centre ↗.
Be alert for scams referencing the Optus data breach. Learn how to protect yourself from scams by visiting Scamwatch ↗.
If you are concerned that your identity has been compromised or you have been a victim of a scam, contact your bank immediately and call IDCARE ↗on 1800 595 160.
If your identity has been stolen, you can apply for a Commonwealth Victims' Certificate ↗.
If you believe you are victim of a cybercrime, go to ReportCyber ↗.
The following websites can help you protect yourself and stay informed
If you wish to make a privacy complaint, contact Optus by their Make a complaint ↗ page. If you are unable to resolve your complaint with Optus, you may wish to lodge a complaint with the Telecommunications Industry Ombudsman ↗ and the Office of the Australian Information Commissioner ↗.
What is the Government doing to protect your identity?
The Government is looking at all possible solutions to protect and reissue victims' identity documents.
The government has amended the Telecommunications Regulations 2021 to better protect Australians following the Optus data breach. They will allow Optus to share limited information with financial institutions and government agencies to detect and mitigate the risks of malicious activity, including ID theft and scams. These changes will reduce the impact of this data breach on Optus customers and enable financial institutions and government agencies to implement enhanced safeguards and monitoring.
The Department of Home Affairs has established a Commonwealth Credential Protection Register to help stop compromised identities from being used fraudulently. As Optus provides data, issuing agencies will assess and determine whether to add credentials to the register. As at 14 October 2022, the register includes around 100,000 Australian Passports. These passports can still be used for international travel. The Department of Home Affairs is working with federal and state government agencies to upload compromised credentials to the register, with a focus on Australian and New Zealand passports and Australian drivers licences.
The Australian Federal Police (AFP) has launched Operation HURRICANE to investigate the criminal aspects of the breach. The AFP has also launched Operation GUARDIAN, under the AFP led JPC3, a joint partnership with law enforcement, the private sector and industry to combat cybercrime. Operation GUARDIAN is focused on shielding affected customers, where they can be identified, and working with industry to enhance protections for members of the public. The AFP is also monitoring online forums, including the internet and dark web, for criminals trying to exploit the breached data. The AFP will not hesitate to take action against those who are breaking the law.
The Australian Cyber Security Centre is supporting Optus with a cyber-security incident response and assisting other Australian telecommunications providers to enhance their cyber security.
The Department of Home Affairs is working with Commonwealth, state and territory agencies to minimise the potential for exposed documents to be used fraudulently.
If your Medicare card details have been exposed, Services Australia will allow you to replace your Medicare card ↗ for free. If you believe there has been unauthorised activity to any of your Services Australia accounts, contact their Scams and Identity Theft Help Desk ↗.
Passports are still safe to use for international travel. However, the Government understands impacted Optus customers may be concerned about identity theft relating to their passports. Customers who choose to replace their passports can call the Australian Passport Office where staff are ready to assist. Optus has agreed to reimburse the costs associated with replacing a passport due to the breach. More information can be found at the Australian Passport Office ↗.
The Government will continue to update this factsheet as Optus provides more advice.
Credential Protection Register.
The Credential Protection Register stops the verification of known compromised credentials (i.e. credentials which have been subjected to a data breach) through the Document Verification Service (DVS), meaning they cannot be used for fraudulent identity verification purposes. However, this means rightful owners will not be able to use them online. New credentials issued following the data breach will work as normal. In the interim, impacted individuals should consider using alternative credentials or speak to service providers that ask for identification for other options, such as visiting the service in person to present the credential.
Prior to the establishment of the Commonwealth Credential Protection Register, compromised credentials would successfully verify through the Document Verification Service (DVS) as real and valid identity documents belonging to real people.
The Department of Home Affairs will continue to work with key stakeholders to refine the Credential Protection Register to ensure it provides a longstanding identity recovery and resilience mechanism for all Australians.
What does this mean for you?
If you have recently had your identity credentials (i.e. Australian passport or drivers licence) compromised in a data breach, the details of your compromised credential may be uploaded to the Credential Protection Register. The inclusion of your compromised credential on the register is automatically done by the organisation that issues the credential based on your risk profile. You are not required to take any action.
You should consult with the credential issuer regarding if the credential should be replaced, until this occurs your credential will continue to function for the purpose it was issued e.g. allow you to drive a car or travel internationally but will not function for the purpose of confirming your identity.
Once your compromised credential has been replaced the details of your old credential will remain on the Credential Protection Register to ensure it cannot be used for future fraudulent verification purposes. Leaving your compromised credential on the register will have no impact on your ability to verify your new identity document.
Why
organisations need to verify your identity
When you access government services, apply for a bank loan or receive a medical benefit, organisations may ask you for proof of identity. This is because organisations need to make sure they are helping legitimate customers, and not someone attempting to commit identity crime.
Identity crime [PDF] is one of the most prevalent crimes in Australia. One in four Australians will be a victim of identity crime at some point in their lives. The Identity Matching Services are designed to better protect you from identity crime and save the Australian community a substantial amount of time and money.
The Identity Matching Services can check whether your identity document is valid, with your consent. They can also help you to reclaim your lost or stolen identification documents faster, without the need to re-establish your identity.
By providing organisations with the means to verify your identity documents, more government services can be provided completely online, while significantly reducing the risk of identity crime.
What can match results show
Match results can show if your identity information matches the information that the document issuing organisation has on record.
In most cases, match results will return simply a ‘yes’ or ‘no’ answer to verify a record. In more limited cases a government agency may also request additional information, such as your name or photo. This may only happen where the agency has a legal authority to collect this information.
A match result can’t be the sole deciding factor for the organisation when they decide if they will supply you with a benefit or service. In other words, the Identity Matching Services do not make decisions about your identity - that responsibility rests with the user organisation, taking into account all the available information at their disposal.
Where is your information stored?
Each government agency that issues your identity documents has its own secure system to store and protect the original record. In most cases, the Identity Matching Services access information direct from these systems.
In the case of driver licence information, the DVS hub checks your information with the
National Exchange of Vehicle and Driver Information System (NEVDIS). NEVDIS is operated by Austroads Ltd on behalf of driver licencing authorities.
Facial images on driver licences will over time be provided by driver licencing authorities and stored in a system called the National Driver Licence Facial Recognition Solution (NDLFRS), hosted on behalf of the states and territories by the Department of Home Affairs.
A list of information shared by the Identity Matching Services is available in our Privacy Statement.
Get help with a match or incorrect identity information
In rare cases, your valid identity information may fail to match with the original record. This might be because:
- your personal details were entered incorrectly
- the original record is incorrect
- the system was unavailable.
If this is the case, contact the organisation that performed the check. They can:
- talk to you about your identity verification options
- ask us to do a secondary check
- ask the issuer to check the quality of their record.
If you are not satisfied with their response, you can contact the IDMS Manager by email.
Face Identification Service and law enforcement
Law enforcement and anti-corruption agencies in Australia can use Face Identification Service (FIS) without your consent only as part of the following activities:
- prevention and detection of identity fraud
- law enforcement
- national security
- protective security
- community safety
The FIS cannot be used for mass surveillance or for investigating minor offences such as jaywalking or littering.
