State and federal governments are expecting Optus to pay for its customers to change to identity documents like passports and drivers licences that were exposed in a breach.

Details of nearly 10 million former and current Optus customers were exposed in the incident which the telco said included passport and/or drivers licence numbers for 2.8 million Australians.

Optus has since admitted 14,900 valid Medicare numbers were also taken, following publication of sample data from an online extortionist claiming to be the attacker.

For Optus customers who are worried about the heightened risk of identity theft following the breach, most states and territories are offering free changes to driver’s licences.

Queensland Transport Minister Mark Bailey said on Tuesday evening that “new licences, with new numbers, [will] be provided free of charge to Queenslanders impacted by the Optus breach”.

The Victorian government likewise said licence number replacements would be free with a spokesperson saying it would “request Optus repays the cost of the new licences”.

South Australia, the ACT, Tasmania, and Northern Territory are also offering free licence changes to affected customers.

NSW Customer Service Minister Victor Dominello said people in his state could get new card numbers – not necessarily new drivers licence numbers – but it would come at a cost of $29 which he said could be reimbursed by Optus.

Western Australia can’t offer changes to drivers licence numbers, something the state Transport Minister said she was looking into fixing.

The federal government is hoping to make sure Optus pays the bill for replacement passports which usually cost $193.

Foreign Minister Penny Wong has written to Optus CEO Kelly Bayer Rosmarin asking for Optus to “cover the passport application fees” of customers whose details were exposed in the breach.

“There is no justification for these Australians – or for taxpayers more broadly on their behalf – to bear the cost of obtaining a new passport,” Wong said.

For Optus customers concerned about having their Medicare number exposed, Services Australia recommends replacing their Medicare cards which can be done online through myGov.

Identity concerns

Optus had gathered the exposed document numbers for identity verification purposes and appears to have stored them in plain text on a database that was accessible through an unauthenticated, internet-facing test API.

After pressure from the Home Affairs Minister, Optus began offering a free 12-month subscription to Equifax Protect – a credit monitoring and identity theft protection service, which ironically suffered its own breach in 2017 which saw the personal information of 145 million customers stolen.

Affected customers will have received a code for the Equifax service via email.

Louay Ghashash, CISO of cyber firm Spartans Security and chair of the Australian Computer Society’s Cyber Security Committee, told Information Age affected Optus customers ought to take extra steps beyond changing document numbers and signing up for Equifax Protect – which he thinks Optus should offer for five years, not just one.

“If you signed up with Optus on an email account that you also use with financial institutions, you should change that email address,” Ghashash said.

“Then I would recommend contacting Optus to make sure you’re notified if anybody requests phone redirection.

“Hackers often try to impersonate people in order to redirect calls and messages to another SIM card which they use to intercept multifactor authentication messages.”

The Australian Communications and Media Authority (ACMA) has tried to clamp down on SIM swapping by requiring greater identity verification before letting people transfer services to a new SIM.

For Ghashash, it’s especially important to make efforts to mitigate any risk that your identity is stolen.

“I’ve seen people who have had details breached like this and the effects lasted well beyond 12 months,” he said.

“One customer of mine had their identity stolen and the attacker used it to take out a home loan under their name.

“Two years later and they’re still having issues.”