My personal information has been exposed/compromised! What should I do to protect myself?

8 min readSep 29, 2022

Manglu Balasubramanian

We live in this modern “digital” world where our data including sensitive and personal information (SPI data) is stored by a number of organizations (government departments as well as private corporations such as Banks, Telcos, etc).

If the entity is hacked or suffers a data breach, your data is potentially exposed to bad and malicious actors. Two recent (September 2022) data breach incidents, Uber and Optus, resulted in the average person (the proverbial Joe/Jane) being impacted as their data has been exposed. If you are a current customer (or an ex-customer) of Optus whose data has been exposed, then this article will provide you with information and the next steps.

In the future, I will attempt to write an article that provides a standard checklist that can be used across multiple countries. Honestly, that is an article that I don’t want any reader to ever have a need to read and use!!

The ABC estimates that up to 9.8 million Australians could have their data compromised. Optus has not disclosed the exact number of individuals whose data has been compromised.

Let’s try and place this number — “9.8 million” Australians in the right perspective. Based on the 2021 Census there are approx 25.4 million Australians. The number of people who are potentially impacted by this Optus data breach is nearly 1 in 3 Australians.

If you were not impacted by the article consider yourself lucky. You could be a victim too in the near future. I am not wishing bad luck or ill-will on you. It is better to be prepared than to be caught with your pants down when your data has been compromised.

Here is a quick list of things that you can peruse.

1. As a potential Victim, you must be notified by Optus

In Australia, under the Notifiable Data Breaches (NDB) scheme any organization must notify affected individuals and the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved.

In this instance, Optus has followed the NDB scheme and notified all affected individuals via email and/or SMS.

The contents of the notification would look something similar to the one below:

Figure 1: Example of an Organization notifying a potential victim

There are a couple of important things to note here:

The specific ID document that has been accessed/exposed. The message states the numbers of ID documents such as driver's license number or passport number. If you had provided the ID document say in 2017 (a good 5+ years ago) chances are you are not going to be able to recollect which ID documents you had used for verification purposes
The communication is silent on the ID documents such as Medicare ID.

2. Is your Driver's License Number compromised?

Optus is working closely with the Government of each State/Territory to help customers in the event ID documents need to be changed. This page from Optus provides their guidance for each of the States and Territories.

ACT Driver License Number & Driver License Card Number: Access Canberra is prioritizing the replacements of driver licence cards for people who have had BOTH data fields compromised. You can apply for a replacement licence online.

NSW Driver License: If Optus recommends a customer replace their licence, or a customer wishes to replace it as a precaution they can do so online.

NT DriverLicense & Card Number: Optus customers who require new licences will not be charged. Affected customers will have to attend an MVR and present their notice from Optus. Regional and remote clients should contact the MVR on 1300 654 628.

QLD Driver License Number aka Customer Reference Number (CRN): If you’ve been notified by Optus (through email, text, or account message) that your driver licence number has been exposed as part of the data breach. Follow the steps described here and your card/s will be replaced free of charge and you will receive them in the mail.

SA Driver License Number: If you have been advised that your driver licence details have been compromised by the recent Optus data breach, you are eligible to request a new driver licence number. Please attend a Service SA centre to apply for a change of licence number. Please bring any documentation you have received from Optus.

TAS Govt Personal Information Card : If you are replacing your card due to the recent Optus data breach, you must show your Optus data breach communication or provide a Statutory Declaration that states your personal information was breached by the Optus data leak. There is no charge for this replacement.

Victorian Driver License Number: You can request to have your licence record flagged and VicRoads will prevent any unauthorized changes or access to individual information through the Victorian licence database.

WA Driver License Number: New driver’s licence cards with new licence numbers will be issued to those who have been informed by Optus that their driver’s licence information has been compromised as part of the breach. Attend a Department of Transport (DoT) Driver and Vehicle Services Centre or regional agent to have a new licence issued

3. Is your Medicare Number compromised?

14,900 valid Medicare ID numbers along with 22,000 expired Medicare card numbers have been exposed. If your medicare ID number has been compromised, Optus will contact you directly. You can replace your Medicare card at no cost using one of the options below:

Your Medicare online account at myGov;
Express Plus Medicare mobile app; or
Calling the Medicare program on 132 011 (24/7)

Note: You’ll have the same Medicare number you did before, only the last digit will change.

I am still trying to work out what the note from Services Australia means by stating only the last digit will change!!

4. My Passport Number is exposed!

Even if your passport number was exposed, you can still use the passport for travel.

However, the passport details MAY be misused to commit identity fraud.

According to the Department of Foreign Affairs and Trade (DFAT) the decision to get a new passport is your personal decision.

The Australian government wants Optus to pay for the new passport with the Foreign Minister, Penny Wong, formally asking Optus to cover the cost of new passports.

If you don’t intend to do overseas travel soon, you can cancel the passport without getting a new one. This would prevent the exposed passport number from being used for travel or identification purposes.

Optus has so far (29th Sept 2022) not provided any information about paying affected customers for their new passports if they choose to apply.

5. Is Optus providing other assistance to affected customers?

Optus will provide customers with the option to take up a 12-month subscription of Equifax Protect at no cost to them. You should receive communication from Optus on how to start your 12-month subscription with Equifax Protect.

Optus has engaged IDCARE, Australia’s national identity, and cyber support service, to help support affected customers.

6. What else can I do or keep an eye on?

Credit Report: Get a copy of your credit report to check it’s accurate. While you are waiting to receive the 12-month subscription of Equifax Protect, you can use your free credit report (we are entitled to a free credit report once every 12 months) entitlement.

Ban Period: You can consider contacting credit reporting bodies (Equifax, Experian, and illion are the three main bodies in Australia) to place a ban period on your credit report. During the ban period, the credit reporting bodies won’t use or disclose your credit report or add new information to it. The initial ban would last 21 days and you can extend it further to a maximum of 1 year.

If you think you’ve been a victim of identity crime then suggest applying for a victim’s certificate.

Refer to the guidance from the Australian Cyber Security Centre to secure your identity.

Refer to the 8 ways to protect your identity against a data breach published by Equifax.

Refer to recommendations/suggestions published by OAIC.

Law firms such as Maurice Blackburn and Slater and Gordon are considering a possible class action against Optus to potentially claim compensation for persons impacted by the data breach.

Key Updates — 4th October 2022

Optus has started sending a communication to impacted individuals stating which ID document was exposed. The initial communication did not state the specific document(s) which were exposed. An example email is shown below:

Figure 2: Sample email from Optus about a Customer’s Driver License exposed

2. Optus CEO Kelly Bayer Rosmarin revealed on 3rd October 2022, that 9.8 million people had their data accessed but said 7.7 million do not need to replace documents (Source: A message from Optus to our customers.)

3. Optus CEO states that 7.7 million do not need to take any further action. 2.1 million people had an identity document number exposed. (Video — 1.20 mins)

4. Out of 2.1 million people, 900,000 of the ID document had expired. This group MAY need to take action (Video - 1.20 mins)

5. The 1.2 million customers who had valid ID documents (i.e not expired) have been reached out to by Optus. They SHOULD take action to protect their identity. (Video — 1.45 mins)

6. Optus website will be the single source of truth and gives the most up-to-date information that you need to know. (Video — 4.28 mins)

Figure 3: If you are an impacted customer, which rectangle do you fit in?

Key Updates — 7th October 2022

Optus has identified 17,000 valid and a further 26,000 expired Medicare ID numbers exposed. Optus confirms that they have communicated with all contactable customers whoseMedicare card numbers were exposed.

To the 9.8 million Aussie mates who are caught up in this unfortunate situation, please keep your eyes and ears open. This is a wake-up call for all of us to better educate ourselves on Cyber Safety and wishing you all safe travels in the digital-centric world!