The telecommunications giant Optus says that up to 9.8 million people – almost 40% of the Australian population – may have had their private data stolen in the breach of their systems.
Although the actual number of customers affected may be less, experts say customers need to take important steps to protect themselves from fraud and scams in the wake of the breach.
The stolen data may include passport numbers, home and email addresses, dates of birth and driver's licence numbers. On Tuesday, Home Affairs Minister Clare O'Neil said that Medicare numbers may have also been breached, even though Optus had not advised the government that these were part of the hack.
If you're one of the many millions of people caught up in the breach, here are the steps to take.
1. Find out what's been breached
Associate professor in cyber security Toby Murray, from the University of Melbourne, says the important first step for current or former Optus customers is to try to work out what information may have been breached.
Optus says as of Monday it had contacted by SMS or email all customers whose identity documents have been breached.
The company says it's in the process of contacting other customers who had other information such as email addresses breached.
Murray, himself an Optus customer, says these communications haven't been overly specific.
In an ideal world Optus would be more specific to customers about what has been breached
Toby Murray, Associate Professor in cyber security, University of Melbourne
"I myself was told that my date of birth, email address and an ID document was breached, [but] they didn't tell me which ID document that was. Other people have been told their ID documents weren't breached," he says.
Murray says customers can log on to their Optus accounts online and check what ID documents types the company has on you, to know what may have been breached. You may need to go into a store to find out the specific document numbers.
"If the document breached was an old passport that has since expired that changes your risk," he says. "In an ideal world Optus would be more specific to customers about what has been breached."
2. Be wary of scams
Murray says cyber criminals may use the breached data to target individuals with scams, including potentially pretending to assist those impacted by the Optus breach.
He says customers should be extra vigilant about clicking on links or giving away personal information to anyone contacting them by phone or online. Optus has said it won't send customers any links.
Scammers are taking advantage of the chaos and confusion caused by the breach
Kathryn Gledhill-Tucker, vice-chair of digital rights advocacy group Electronic Frontiers Australia, says scammers are taking advantage of the chaos and confusion caused by the breach.
"Hackers not involved in this breach are trying to extort people for money, saying they have your data and will release it if you don't pay them … Heightened vigilance at the moment is needed," she says.
3. Review your online security
Gledhill-Tucker advises that now is a good time to review your general online security, including ensuring you have strong passwords along with two-factor authentication for your sensitive accounts.
"Good digital security practices are prudent … Even if they are saying passwords haven't been breached," Gledhill-Tucker says.
Murray says you can request that online banking providers and other services ask you multiple security questions before you log in, and ask that they take extra measures to verify your identity such as phone authentication.
4. Replace documents
Murray says if you've had your personal ID documents breached, you should seriously consider replacing them.
These include passports, drivers licences and potentially Medicare cards.
But this may be easier said than done. There are currently long wait times for passport renewals, and some states and territories won't let you replace your driver's licence unless you have evidence of fraud having taken place – a requirement Gledhill-Tucker says is unfair, as it may be "too late" once fraud has already occurred.
Some states and territories won't let you replace your driver's licence unless you have evidence of fraud having taken place
In New South Wales, customers have been urged to lodge police reports of the breach of their driver's licence data so they can order a new licence. The NSW government has also set up a helpline for affected customers on 1800 001 040.
The Victorian government announced on Tuesday it would be supporting affected customers to get new drivers' licences in the state.
5. Credit monitoring
Optus says it's offering customers "most affected" by the breach free access to Equifax credit monitoring for 12 months so they can be alerted to any instances where credit is fraudulently taken out in their name.
University of Melbourne's Murray recommends that even customers not given free credit monitoring services by Optus should consider paying for it themselves. "The cost is around $10 to $15 a month," he says.
He adds that another option is doing what he has done and putting a ban on any credit being taken out in your name for a 21-day period as a precautionary measure. There are also free services for credit monitoring and banning new credit applications.
Need for reform
Digital rights advocate Gledhill-Tucker says it's vastly unfair that the job of mopping up after the breach falls on individual customers and that Optus isn't held responsible.
Kate Bower, consumer data advocate at CHOICE, says the current laws around privacy protection were "woefully inadequate".
"The Optus data breach has exposed the huge gap between what customers expect and what the law requires. Customers rightfully expect fair compensation and assistance to protect their personal information. Consumers have no choice but to hand over their personal data when signing up to an essential service, like a telco. So they trust that these businesses will handle their data safely and securely," she says.
"CHOICE is calling for several reforms of the Privacy Act to better protect consumers and ensure they have appropriate remedies available to them."
Stock images: Getty, unless otherwise stated.