When Bernard Sheppard heard there had been a data breach at Optus, the former customer strongly suspected he would be affected.
He received an email from Optus on Sunday, three days after the company confirmed the hack.
It stated his exposed data included his name, date of birth, email, phone number, address, and ID document such as a drivers licence or passport number.
Mr Sheppard said he was "disappointed but not surprised" by the breach that has affected up to 9.8 million current and former Optus customers.
More concerning is that he does not know whether it was his licence or passport number that was leaked, as he joined a long time ago and had since left the carrier.
"I've got in touch with Optus — they either can't tell or won't tell," he said.
He wants to change his drivers licence number to prevent against identity theft, but VicRoads does not allow Victorians to do so unless fraudulent activity has already occurred.
"To have an approach that says we won't do anything until after you've already been defrauded or had your identity stolen just seems to be entirely the wrong approach for VicRoads to be taking," he said.
He said he was not as concerned about his passport number being leaked, as it would have been provided more than 10 years ago and since expired.
Passport numbers change when the document expires, while drivers licence numbers stay the same throughout a person's life other than in exceptional circumstances.
Different state and territory rules for changing licence numbers
David Batch, national privacy lead at CyberCX, said it was concerning that the hack had exposed personal details, including licence and passport numbers.
"The more data that some bad actor has on you, the more likelihood there is that you could be the victim of identity theft and subsequently fraud as a result," he said.
But because licence numbers are designed to stay with the driver for life, he said most states and territories usually only changed the number when there was a high risk of fraud.
"Unless there's actually direct evidence of there being fraud … using the drivers licence number, the current position with most of them is that they won't replace it," he said.
He advised people to contact the licensing authority in their state or territory, as well as Optus, to explore the options based on individual situations.
The ABC followed up with each state and territory regarding their stances on changing licence numbers for those affected by the Optus breach.
Victorians can apply for a new licence number through VicRoads, but a lot of evidence is required and there must have been an attempted fraud.
Victims of the breach can supply a category one document, which includes a Commonwealth Victims' Certificate, a court extract, or a police request to VicRoads "outlining the circumstances under investigation and a recommendation to change the licence number".
Otherwise, they can provide a statutory declaration and two category two documents, which include a company letterhead from the service provider confirming fraud has occurred, a police incident report, an affidavit indicating fraud, or an infringement report.
Victorian Premier Daniel Andrews said VicRoads did not often reissue licence numbers "to prevent further fraud", but said he would look into the issue.
"There needs to be a process to go through to get a licence because that's obviously a very important form of ID," he said.
"Let me have a look into any of those delays and see whether there's something that can be done."
In New South Wales, victims of the breach must "report the theft or incident to police and obtain a police event or ReportCyber receipt (CIRS) number" and fill out a replacement form to get a new licence number.
New South Wales Customer Service Minister Victor Dominello said Optus customers whose drivers licence details had been compromised by the hack should apply for a replacement licence.
In Queensland, a Department of Transport and Main Roads spokesperson said the department had been assisting customers affected by the Optus breach but did not say whether it would be possible to change the licence number.
"Should our customers be concerned their driver licence number (also known as customer reference number) has been used for fraudulent activity, they should immediately contact the Queensland Police Service," they said.
"It is important to remember a TMR driver licence remains a highly secure identity document with a range of physical security features to prevent alteration or forgery.
"Furthermore, customers interacting with TMR online using personal information are required to use a two-factor authentication."
In 2019, the Queensland government told the ABC the licence number could only be changed if fraudulent activity had occurred.
"For a new driver licence to be issued, the customer will need to provide written evidence from an enforcement agency confirming the licence was fraudulently compromised, in addition to a statutory declaration from the customer outlining details of the fraudulent activity and signed by a Justice of the Peace," a spokesperson said in 2019.
Anyone in Tasmania who is affected can contact Services Tasmania about the breach.
They will be given a letter to take into a Services Tasmania branch and can then apply for a new licence with a new number.
Regular fees will apply for the licence.
A spokesperson for the South Australian Department for Infrastructure and Transport said those affected by the Optus breach could get a new drivers licence number at a Service SA Centre.
It is not possible to change a Western Australian drivers licence number, but the state's Transport Minister Rita Saffioti said she was considering changing the rule.
"I've sought advice from the Department of Transport on the matter and it's something I'm willing to consider," she said.
The Northern Territory and Australian Capital Territory governments said they were still working on what to do about the issue.
Telecommunications companies must retain customers' data for at least two years under the Telecommunications (Interception and Access) Act.
Optus CEO Kelly Bayer Rosmarin said the carrier was working with authorities to retrieve customers' data.
"We've also been working behind the scenes with all the licensing authorities to see what we can do to reissue licences in the case where they believe that that's necessary," she said.
Law firm Slater and Gordon is investigating a class action against Optus on behalf of customers affected by the breach.
Ben Zocco, a senior associate of class actions at Slater and Gordon, told ABC Radio Melbourne the monetary cost and administrative inconvenience of replacing licences and passports could potentially form part of the class action.
"Since announcing the investigation yesterday we've had many thousands of customers register their interest to participate in any proceedings," he said.
Passport numbers alone not enough to travel on
While passport numbers were leaked in the breach, the Department of Foreign Affairs and Trade (DFAT) stated on its website there was no breach of its own systems and passports were still safe to use for travel.
So while no-one will be able to travel using leaked passport details, the passport number may still be used for identity theft.
DFAT stated it was up to the affected individual if they wanted to cancel their passport or apply for a new one, but it would still be charging the same prices.
Mr Batch said customers could ask Optus about potentially covering these costs.
"There has been precedent for organisations paying for reissue of people's passports if they've assessed the risk as being great enough," he said.
Cyber expert says treat data like it's already been compromised
Mr Batch also advised people to take their privacy and security into their own hands.
"Things like checking your credit record on a regular basis to see if there's any unusual activity on it," he said.
He also said customers could subscribe to credit monitoring services that do this for them.
"The reality is the data is out there potentially already anyway, and you should always treat it as if it has been compromised and take those active protections," he said.
Following heavy criticism from the Home Affairs Minister, Optus on Monday announced it would offer free one-year subscriptions to a credit monitoring and identity protection service, to the "most affected" current and former customers.
Mr Sheppard is taking other steps to secure his information, including closing bank accounts where SMS is the only possible method of two-factor authentication.
"I'm being a little bit paranoid, but I've previously had mail stolen and had St Kilda police call me and say 'hey, you're a potential victim of identity theft', so I'm on edge here," he said.
"I'm taking every action I can to try and avoid being a victim a second time around."
Those wanting to learn more about protecting against fraud following the breach can visit the Australian Cyber Security Centre.
