Security News > 2022 > September > Optus breach – Aussie telco told it will have to pay to replace IDs
11,200,000 user records with name, date of birth, mobile nmber and ID 4,232,652 records included some sort of ID document number 3,664,598 of the IDs were from driving licences 10,000,000 address records with email, date of birth, ID and more 3,817,197 had ID document numbers 3,238,014 of the IDs were from driving licences The seller wrote, "Optus if you are reading! Price for us to not sale [sic] data is 1,000,000$US! We give you 1 week to decide."
If the attacker's claim to have retrieved a total of more than 20,000,000 database records from two databases is to be believed, we're assuming [a] that Optus userid codes were easily computed or guessed, and [b] that no "Database access has hit unusual levels" warnings went off.
If the optusdata BreachForum poster was telling the truth, and close to 4 million licence numbers were stolen, close to 25% of all Australian licences might need replacing.
Those without licences, or visitors who had bought SIM cards from Optus on the basis of a foreign passport, would need to replace their passports instead - an Australia passport replacement costs close to AU$193, a UK passport is £75 to £85, and a US renewal is $130 to $160. Who carries the cost?
Not only are we demanding Optus pay for replacement passports for those affected by the breach, but we're also committed to strengthening our privacy laws through the Privacy Act review.
No word on whether "Replace all documents" will become a routine reaction whenever a breach involving ID document is reported, something that could easily swamp the public service, given that licences and passports are usually expected to last 10 years each.