Skip to content   Skip to footer navigation 

What to do if you've been caught up in the Optus data breach

Optus says up to 9.8 million people may have had their data breached. Here's what to do if you’re one of them.

optus store front
Last updated: 28 September 2022
Fact-checked

Fact-checked

Checked for accuracy by our qualified fact-checkers and verifiers. Find out more about fact-checking at CHOICE.

The telecommunications giant Optus says that up to 9.8 million people – almost 40% of the Australian population – may have had their private data stolen in the breach of their systems. 

Although the actual number of customers affected may be less, experts say customers need to take important steps to protect themselves from fraud and scams in the wake of the breach. 

The stolen data may include passport numbers, home and email addresses, dates of birth and driver's licence numbers. On Tuesday, Home Affairs Minister Clare O'Neil said that Medicare numbers may have also been breached, even though Optus had not advised the government that these were part of the hack. 

If you're one of the many millions of people caught up in the breach, here are the steps to take.

1. Find out what's been breached 

Associate professor in cyber security Toby Murray, from the University of Melbourne, says the important first step for current or former Optus customers is to try to work out what information may have been breached. 

Optus says as of Monday it had contacted by SMS or email all customers whose identity documents have been breached.

The company says it's in the process of contacting other customers who had other information such as email addresses breached. 

Murray, himself an Optus customer, says these communications haven't been overly specific. 

In an ideal world Optus would be more specific to customers about what has been breached

Toby Murray, Associate Professor in cyber security, University of Melbourne

"I myself was told that my date of birth, email address and an ID document was breached, [but] they didn't tell me which ID document that was. Other people have been told their ID documents weren't breached," he says. 

Murray says customers can log on to their Optus accounts online and check what ID documents types the company has on you, to know what may have been breached. You may need to go into a store to find out the specific document numbers. 

"If the document breached was an old passport that has since expired that changes your risk," he says. "In an ideal world Optus would be more specific to customers about what has been breached."  

2. Be wary of scams 

Murray says cyber criminals may use the breached data to target individuals with scams, including potentially pretending to assist those impacted by the Optus breach. 

He says customers should be extra vigilant about clicking on links or giving away personal information to anyone contacting them by phone or online. Optus has said it won't send customers any links. 

Scammers are taking advantage of the chaos and confusion caused by the breach

Kathryn Gledhill-Tucker, vice-chair of digital rights advocacy group Electronic Frontiers Australia, says scammers are taking advantage of the chaos and confusion caused by the breach.

"Hackers not involved in this breach are trying to extort people for money, saying they have your data and will release it if you don't pay them … Heightened vigilance at the moment is needed," she says. 

3. Review your online security

Gledhill-Tucker advises that now is a good time to review your general online security, including ensuring you have strong passwords along with two-factor authentication for your sensitive accounts.  

"Good digital security practices are prudent … Even if they are saying passwords haven't been breached," Gledhill-Tucker says. 

Murray says you can request that online banking providers and other services ask you multiple security questions before you log in, and ask that they take extra measures to verify your identity such as phone authentication. 

4. Replace documents 

Murray says if you've had your personal ID documents breached, you should seriously consider replacing them. 

These include passports, drivers licences and potentially Medicare cards. 

But this may be easier said than done. There are currently long wait times for passport renewals, and some states and territories won't let you replace your driver's licence unless you have evidence of fraud having taken place – a requirement Gledhill-Tucker says is unfair, as it may be "too late" once fraud has already occurred. 

Some states and territories won't let you replace your driver's licence unless you have evidence of fraud having taken place

In New South Wales, customers have been urged to lodge police reports of the breach of their driver's licence data so they can order a new licence. The NSW government has also set up a helpline for affected customers on 1800 001 040.

The Victorian government announced on Tuesday it would be supporting affected customers to get new drivers' licences in the state. 

5. Credit monitoring  

Optus says it's offering customers "most affected" by the breach free access to Equifax credit monitoring for 12 months so they can be alerted to any instances where credit is fraudulently taken out in their name. 

University of Melbourne's Murray recommends that even customers not given free credit monitoring services by Optus should consider paying for it themselves. "The cost is around $10 to $15 a month," he says.  

He adds that another option is doing what he has done and putting a ban on any credit being taken out in your name for a 21-day period as a precautionary measure. There are also free services for credit monitoring and banning new credit applications. 

Need for reform 

Digital rights advocate Gledhill-Tucker says it's vastly unfair that the job of mopping up after the breach falls on individual customers and that Optus isn't held responsible. 

Kate Bower, consumer data advocate at CHOICE, says the current laws around privacy protection were "woefully inadequate". 

"The Optus data breach has exposed the huge gap between what customers expect and what the law requires. Customers rightfully expect fair compensation and assistance to protect their personal information. Consumers have no choice but to hand over their personal data when signing up to an essential service, like a telco. So they trust that these businesses will handle their data safely and securely," she says. 

"CHOICE is calling for several reforms of the Privacy Act to better protect consumers and ensure they have appropriate remedies available to them."

We care about accuracy. See something that's not quite right in this article? Let us know or read more about fact-checking at CHOICE.

Stock images: Getty, unless otherwise stated.