Anna was ready to buy her first home – but then her details were leaked in the Optus data breach and everything changed
For New South Wales resident Anna*, having her personal details compromised in the Optus data breach has had serious implications as a prospective first-home buyer.
And, she says, failing to get clear advice from Optus in the immediate aftermath may have made things worse.
Both Anna and her partner have spent the past year actively trying to purchase a home in their regional town, Nambucca Heads.
With stiff competition from an exodus of city dwellers pushing house prices up over the pandemic, their efforts have been unsuccessful.
According to realestate.com.au, the median price of homes in the area has gone up by almost 30 per cent in the past year but in line with trends across the country, house prices have recently begun to stabilise.
"The market has finally slowed down, so we are aware that this is the best chance we've had," said Anna.
Anna is desperate to leave the unstable rental market after her last rental home was sold by her landlord and having experienced rental shortages in the marketplace after.
She was in the thick of negotiations for a potential home and applying for a home loan when Optus notified that she had been part of the data breach via email.
Like many other affected Optus customers, she wanted to find out what ID documents the company had on file immediately.
"After much back and forth, I asked what details were taken and Optus once again told me to wait for an email explaining everything," Anna said, having contacted Optus via the MyOptus app.
"I never received another email."
With the Optus data breach exposing almost 10 million current and former customers to identity theft, law firms are circling for what could end up being the biggest — and most valuable — class action case in Australian legal history.
Drivers licence numbers and passport numbers were the two ID documents first identified as being compromised in the leak, along with names, dates of birth, phone numbers and email addresses.
Anna had only had one thought in her mind: Protect her credit score.
She rang the authorities to get advice on how best to minimise the risks of identity fraud, while waiting for the second email from Optus.
The advice she was given was to replace her drivers licence, cancel her passport and apply for a new one — with the caveat that she would need to cover any related costs.
Here's what you need to know about changing your drivers licence number, passport or Medicare details.
The cost of replacing drivers licences has now been waived for Optus customers who have explicitly been notified of having their ID leaked.
However, in some states, affected Optus customers may have to pay up-front before getting reimbursed by Optus.
An authenticated letter is needed from Optus to confirm the ID document has been compromised.
Because Anna acted quickly, she initially found herself unable to replace her drivers licence without a police report or an authenticated Optus letter, sharing similar experiences with other NSW residents.
"I was told that I can't make a report as I hadn't been defrauded and I needed to wait for money to be stolen first," said Anna.
So, four days later and still no word from Optus, she reached out to Optus again via the MyOptus app to obtain the authenticated letter.
Optus staff requested she visit an Optus store saying they were "unable to provide any documents in the form of information which is hacked" because of the data breach.
With Anna's nearest Optus store a 50-minute drive away she pursued them via the app the next day.
They responded two hours later, and told her which documents had been leaked: her drivers licence and Medicare ID.
Optus say they have contacted all 1.2 million customers who have been identified as needing to change their ID documents.
Medicare cardholders can replace their cards through myGov, the Medicare app or calling 132 011 free of charge.
Passport holders can replace their passports by:
A Department of Foreign Affairs and Trade spokesperson said: "Australians passports are safe to use for travel, even if the passport number was disclosed in the Optus data breach."
Optus confirmed they would cover the costs of replacement passports for customers who have been informed their passport number had been leaked.
With details of current and former customers stolen from the Optus database, plenty of questions remain. What can you do to protect against the threats caused by this data breach
However for permanent resident Darrell, it is still unclear how the compensation applies to residents and migrants who are on temporary visas.
Getting a replacement passport would involve visiting an embassy or consulate, which might also incur interstate travel costs.
"I've got to firstly put in an application fee and [then] book flights up to Canberra to pick up the passport and return to Sydney and arrange for various changes in documents," he said.
While Australians can choose to cancel their passport while waiting for a replacement, it's not as simple for visa holders.
"Migrants and people on visas can't easily cancel their passports since their visas are tied to their current passport number," said Darrell.
With an estimated wait time of 6 to 8 weeks for a new Singapore passport, he said, "There's a risk that visa holders are exposed to passport fraud or breaches before we get our new passports."
Optus has yet to address Darrell's concerns about how they would compensate visa holders and support them in mitigating potential cyber security risks.
Following early advice from authorities, Anna applied for a credit report with Equifax the day after being told she had been involved in the data breach.
She was told the process to assess her application would take up to five business days.
In the meantime, fearing potential damage to her credit score, she applied for a credit ban which freezes access to her credit file.
This decision, however, has jeopardised her chances of getting a home loan.
"I've been told that the credit ban means banks aren't able to access my credit report until mid-next month," said Anna.
Before applying for a credit check and credit ban, it is first important to understand how it works and when it is needed explains Bond University Associate Professor of Finance Dr Simone Kelly.
She says a credit report will show if you have defaulted in some way, especially if "someone has stolen your identity and got credit or applied for things in your name".
"That's not going to be immediate with this scenario and it may take months before you know you have a situation," she warns.
Dr Kelly says a credit ban means "credit reporting agencies are not able to disclose any personal information about you or your credit file to any credit providers unless you provide consent to them to do so".
Lenders look at credit scores before granting loans but how is it determined and how can fraudulent activities impact ratings?
In Anna's case, she would need to account for time needed to put through the request and for the credit reporting agency to conduct due diligence, which Dr Kelly said is "not going to be an instantaneous situation".
While a credit ban comes into effect immediately on request, it only lasts for 21 days so there is a need to ensure it rolls over if necessary.
Dr Kelly believes hackers will wait a bit of time before acting on identity theft.
"They know people — both individuals and banks — are going to be hyper vigilant at this point," she says.
Changing passwords to all accounts, especially those connected to your finances, is a good first step says Dr Kelly.
Next, assess existing payment methods and move away from direct debit to have more control over your finances.
"If you're paying by BPAY or go to the post office to [make payments], you're at less risk than if you have supplied direct debit account numbers or have payments charged to your credit card," she said.
Many organisations require customers to submit 100 points of ID before being able to act on their request, where primary documents such as passports and drivers licences hold the highest points.
However, photo documents usually would have to be cited or certified prior to being used to grant approval.
Despite Optus saying only ID numbers have been leaked, Dr Kelly strongly advises people to apply for a replacement if they have been impacted.
Applying for a credit check and credit ban can also be tricky depending on your financial situation and Dr Kelly says to "weigh up the consequences".
"If you're in the middle of applying for a home loan, this is really bad timing for you because it could be quite disruptive".
Otherwise, she recommends checking transactions regularly and keeping up with credit bans where possible.
Optus has offered both current and former customers affected by the breach, a free 12-month subscription to Equifax — one of three major credit reporting agencies in Australia.
After acting on advice to cancel her passport, rather than replace it, Anna is now unable to fulfil the 100 points of ID requirement for a home loan as she was told a new passport will take at least three months to be processed.
"It's been really stressful because we were in negotiations to buy and we aren't sure how this will affect us now," she said.
Anna feels disappointed about the lack of support from Optus.
"It just feels like the company has made a huge error, jeopardising my safety, and I've been the one responsible for mitigating the risk," she said.
In a video posted online, Optus chief executive Kelly Bayer Rosmarin apologised for the incident saying they are "deeply, deeply sorry, especially because [Optus] genuinely care" about safeguarding customers information and invest millions of dollars to prevent such an occurrence.
Optus has also hired consulting company Deloitte to run an independent external review of the data breach.
* Anna's real name has been withheld to protect her privacy.
We acknowledge Aboriginal and Torres Strait Islander peoples as the First Australians and Traditional Custodians of the lands where we live, learn, and work.
This service may include material from Agence France-Presse (AFP), APTN, Reuters, AAP, CNN and the BBC World Service which is copyright and cannot be reproduced.
AEST = Australian Eastern Standard Time which is 10 hours ahead of GMT (Greenwich Mean Time)