• long running

Free Replacement of Passport for Eligible Optus Data Breach Customers @ Australian Department of Foreign Affairs and Trade

3223
Free Replacement of Passport for Eligible Optus Data Breach Customers @ Australian Department of Foreign Affairs and Trade
Go to Deal
Taegukgi on 30/09/2022 - 12:57 passports.gov.au (14971 clicks)
Last edited 14/10/2022 - 19:06 by 4 other users

For those affected by the Optus data breach.

Announcement by Anthony Albanese on Facebook.

An important update for all Australians on the Optus security breach.

After actions taken by myself, Penny Wong - Senator for SA and Clare O'Neil MP, Optus has agreed to pay for replacement passports for those affected by the data breach.

From DFAT page:

If I decide to get a new passport, will I need to cover the cost?

Optus has indicated it will cover the costs of replacing affected customers’ passports. On 30 September, the Prime Minister confirmed that Optus will cover costs for affected customers wishing to receive a new passport due to the breach. The APO is working with Optus to finalise these arrangements. Optus will contact customers that are affected.

Update 14-Oct-2022

Information copied from the Optus Website regarding passport information

Do I need to replace my Passport?

For Australian passport holders, the advice from the Department of Foreign Affairs and Trade (DFAT) is that you do not need to replace your passport.

For New Zealand passport holders with concerns, contact New Zealand Internal Affairs (NZIA).

For International Passport holders, Optus is working with the Department of Home Affairs to provide advice to these customers. You will be contacted if you need to take any action.

To help you identify the numbers this article refers to, please visit our ID Document Number reference guide.

Australian Passport Holders

There are four groups of customers with Australian passport information exposed. If Optus contacts you, we will notify you of the group to which your circumstances relate.

If you remain concerned, for Australian Passport holders there are specific circumstances where we will provide reimbursement to eligible customers to replace their passport. This process will be formalised in the coming week. Please contact us then for more information.

Please read the website for more information at https://www.optus.com.au/support/cyberattack/passport-inform…

Travel Passport

Related Stores

Australian Passport Office
Australian Passport Office
Optus
Optus

Comments

        • gizmomelb on 01/10/2022 - 14:21

          nope.. one clearly has intent and malice, the other is just ignorance.

    • stan-C on 30/09/2022 - 13:04
      +1

      obviously, they would not care…

    • Larsson on 30/09/2022 - 13:17
      +4

      Yeap same situation here. Checked the info Optus have on me through Whirlpool's method, seems like my non-Aussie passport details leaked.

      Are they going to compensate us for that? how will it work? do we just sent them the invoice after getting it replaced?

      • ilovefullprice on 30/09/2022 - 13:25
        +1

        What Whirlpool method please?

        • Larsson on 30/09/2022 - 13:29
          +8

          https://whirlpool.net.au/wiki/optus_sept_2022_breach

          this was a little different before but here it is under the title What data on *my* Optus account could have been exposed? Can I find out if I used my drivers licence, passport or Medicare?

          unfortunately seems like a lot of the valuable info that allowed you to see what they were holding is not taken away. which is a bit backwards.

      • asmith84 on 30/09/2022 - 19:04
        +1

        I think they leaked passport number but not country name. Not saying it’s difficult to obtain from social media, it’s just extra step for scammers.
        Also, in my experience, the creditors, telecoms, banks don’t do automated verifications of overseas passports, and require a copy of bio page.

    • superforever on 30/09/2022 - 14:42
      -1

      How about international passport holders?

      Is it you have to go back and ask your country?

      • superforever on 30/09/2022 - 16:38
        +2

        How our government re-issue your International passport?

        • samuelalexmclean on 30/09/2022 - 18:40
          +1

          I think the suggestion is that you'd talk to the foreign country yourself, but Optus would reimburse the cost.

    • Kismet56 on 01/10/2022 - 08:10

      I’d check with your respective embassy. I doubt an arrangement would exist based purely on numbers.

  • eepykate on 30/09/2022 - 13:00
    +24

    Optus has agreed to pay for replacement passports for those affected by the data breach.

    Glad that unlike the drivers licenses, it ain't the taxpayer paying for their stupidity.

      • eepykate on 30/09/2022 - 13:03
        +12

        I admittedly haven't researched it too much but I was under the impression that it wasn't a very elaborate hack, so on optus' part it'd either be incompetence (stupidity), or malice - and we all know which is better to assume.

        • [Deactivated] on 30/09/2022 - 20:13
          +6

          They forgot to secure an api endpoint and made it publicly accessible so anyone could basically pull down customer data. There's even reports that they were warned a few months before the hack occurred(it's not even a hack at this point…it's the equivalent of leaving your front door unlocked before going on vacation and some rando walking into your home and stealing all your shit). Calling it stupidity doesn't do it justice.

          Cherry on the cake: Optus' ceo has also been on record several times saying it was an elaborate/sophisticated hack several times even though the public was already made aware of the above by then.

          Initially I was in the 'shit happens/humans make mistakes' camp and somewhat sympathetic, however with the way everything has unfolded, I'd have to say anyone who willingly stays with optus even though they're not locked in any sort of contract are as stupid as they are.

      • tonyjzx on 30/09/2022 - 13:04
        +3

        what would you call it then?

        negligence?

          • ozbargainer88 on 30/09/2022 - 13:20
            +17

            @andresampras: The user's private data was publicly accessible in plain text without authentication and had no limit on pull requests.

        • DoctorCalculon on 30/09/2022 - 14:08
          +3

          negligence?

          Dereliction of duty, not to mention sheer incompetence.

      • superchroma on 30/09/2022 - 13:15
        +12

        No, it's stupid. The bottom line is that primary ID data should not have been stored in plaintext, or, really, at all, considering they only need it at sign-ups time to verify you're not a criminal. The fact that they kept all that data on ex-customers accounts to boot is really lazy. The response to the issue was also stupid, instructing phone employees to lie to people about the severity of the issue and initially downplaying everything. Sulkily offering a year of identity theft prevention protection from a third party is not a solution.

        • andresampras on 30/09/2022 - 13:18
          +1

          I stand corrected.

          Stupid Optus!

        • Tamtu on 30/09/2022 - 14:52
          +4

          I agree with almost all that you said. However, continuing to keep data on customers after sign-up is a requirement of the federal Government. So there's enough stupid to go around!

      • jimboner on 30/09/2022 - 14:31

        You just got served

        • andresampras on 30/09/2022 - 14:40
          -1

          Feels bad.

          I feel so stupid now.

      • [Deactivated] on 30/09/2022 - 19:51

        Found Kelly Rosmarin's OzBargain account.

    • Pixie13 on 30/09/2022 - 13:04
      -8

      I'd say it is the stupidity of an individual who either didn't practice good opsec or training wa inadequate in phishing. That is an assumption but the most likely attack vector.

      • Plimsol on 30/09/2022 - 13:10
        +8

        They an unsecured, public-facing API

      • SnakeCasablanca on 30/09/2022 - 14:18
        +1

        That is incorrect unfortunately. It was plain (organisational) stupidity by Optus who had an unauthenticated API endpoint that could be accessed by the public. The "hacker" discovered this and sent millions of requests in sequential order and was just given the data by Optus.

      • Pixie13 on 30/09/2022 - 14:32
        -1

        Please remove my uninformed comments

    • ezzaf on 30/09/2022 - 13:28
      +1

      Pretty sure Optus is paying for license replacements too

      "NSW will charge a $29 replacement fee, which it said will be reimbursed by Optus (…) similar arrangements are being made in other states and territories"

      https://www.theguardian.com/australia-news/2022/sep/27/optus…

      • hebe on 30/09/2022 - 13:47
        +2

        Optus website says affected customers will get $29 credited to their account for getting a replacement licence.

      • eepykate on 30/09/2022 - 13:50

        Nice to know — Doesn't seem to be mentioned in the post regarding QLD, though. nvm seems that it is indeed national on second look.

    • [Deactivated] on 30/09/2022 - 20:16
      +2

      It's already been mentioned on the news and in parliament that Optus will be footing the bill regardless of how customers renew their license. Consumers having the choice of not having to waste time chasing Optus for reimbursement is obviously better. The only people who wanted taxpayers to pay were the LNP for whatever reason. (profanity) party of retards needs to be torn down and re-built from the ground up so both parties actually have decent opposition to keep each other in check.

      • eepykate on 30/09/2022 - 21:11
        +2

        for whatever reason

        Probably to make their friends happy, isn't that all we're good for? Inflating the pockets of rich people…

  • 63pinecone on 30/09/2022 - 13:04
    +21

    I wonder if the expiry date will stay the same?

    • anthonyaaa on 30/09/2022 - 13:29

      ^ Same, what about expiry dates?

      • Kas on 30/09/2022 - 13:49

        Yes same, if you want extension, you have to pay for 5 year period.

        • jv on 30/09/2022 - 13:56
          -2

          Why? The expiry date is set from the issue date?

          • d4zz4 on 30/09/2022 - 15:41
            +1

            @jv: Generally that is the case but if you get a new passport issued the issue date updates but the expiration does not. Had to do this with kids passports a few times.

      • wetwork on 30/09/2022 - 13:59
        +1

        Expiry doesn't change. Just the card number. Bit misleading by the NSW government really.

    • peterpeterpumpkin on 30/09/2022 - 13:55

      That would be interesting. Since they didn't let me replace my water damaged passport with the same date.

    • dust on 30/09/2022 - 14:37

      That's the problem right, they announce all these things without much thinking/planning and there's all these details missing from it.

    • closed on 30/09/2022 - 21:31

      Mine just expired and I'm not a customer of Optus. Was thinking how can I claim a free passport out of all of this?

  • Jimothy Wongingtons on 30/09/2022 - 13:06
    +1

    I actually was due to renew my license, as it's been too long since my original, I need to go back in person to take a new photo.
    I thought well this is kinda convenient as it will update my expiry at least.

    The line was AT LEAST 50 people long… decided to just give up and give it a few more days.. hopefully QLD transport has a better plan to tackle influx of customers by then…

    Can't imagine how much worse the passport processing is going to be unless the department is putting priority on optus customer processing?

  • darklord23 on 30/09/2022 - 13:08
    +8

    I’m wondering about users who have given international passports and those details having being breached. Definitely want to know/research how the EU will react to the Optus breach for EU passports, does this come under the GDPR?Likewise for other countries outside the EU.

  • D1977 on 30/09/2022 - 13:09
    +11

    This might be a stupid question but how do you know if your passport was compromised? I did receive an email from Optus to tell me as a former customer my data was compromised but it never gave me any specifics on what data that was and I seem to recall having to use my passport as part of my porting with Optus. This is the extract from my Optus email so doesn't tell me exactly what and I can't remember if I used my license or passport.

    The information which has been exposed is your name, date of birth, email, phone number, address associated with your former account, and the numbers of the ID documents you provided such as drivers licence number or passport number

    Optus said they will be contacting those most at risk directly but do I assume if I just had the blanket email and have not had any other contact that I am OK?

    • darklord23 on 30/09/2022 - 13:11
      +14

      I had a similar email, the lack of context has been pretty unbelievable, however, aware that optus is most likely under the pump trying to match who and what. I’m taking the zero trust approach and assuming my license and passport have both been compromised.

      • D1977 on 30/09/2022 - 14:20
        +2

        Apparently Optus is going to contact those affected directly over the next few days and tell you what you need to change. I’m going to wait for that but for now I’ll sign up to this free credit monitoring available to any Optus customer.

        https://www.equifax.com.au/optus

        • Smol Cat on 30/09/2022 - 14:33

          What was the “unique code provided by Optus” field? Is that something you have to request? I didn’t actually try starting the process yet but saw that as Step 2.

          • D1977 on 30/09/2022 - 15:02
            +1

            @Smol Cat: It didn't ask me for one when I signed up. It provided me a unique code to enter as I was going through the account creation proess.

            • Smol Cat on 30/09/2022 - 17:59

              @D1977: Good to know, thank you!

            • deadpoet on 01/10/2022 - 01:41

              @D1977: Looks like they've changed it, it now demands a "Promo Code", else you can't proceed with the signup to Equifax Protect, after you've created a new account and passed their identity check. Looks like I'll have to chase it up with Optus after all.

              • D1977 on 01/10/2022 - 19:06

                @deadpoet: That's a shame. I managed to fully sign up and provide the appropriate ID documents to reach the 100 / 100 points. It then told me it will take up to 5 days for someone to review my details before it becomes active for me. At no point was I asked to provide any code from Optus and I am also a former Optus customer so would likely not even be given one.

                • G-rig on 01/10/2022 - 19:42

                  @D1977: Hopefully they don't get hacked, funny giving over more information.

                  Btw people could go into Optus and ask what was affected, a relative did.

                • Ricketytruck on 02/10/2022 - 01:51

                  @D1977: It was after my review of documents that it asked for my code. The review of docs took 5 mins for me

    • darklord23 on 30/09/2022 - 13:12
      +1

      How are optus going to contact former customers who don’t use the same email (lost access), is an even more interesting question.

      • [Deactivated] on 30/09/2022 - 13:15
        +7

        They're not even contacting (all/any) former customers who maintain the same email address, so I imagine they're not.

        • nismo on 30/09/2022 - 14:56
          +1

          They got me & I never even received my order. Not even a current customer and last time I was, was 10+ years ago.

          I tried to buy this in April, like a million other people, order cancelled (no stock) got the run around for several weeks+ but of course, they kept all my data & it was compromised.

          Was notified on Saturday. Can we ban Optus deals on here? would be a good start

        • 8azinga on 30/09/2022 - 18:34

          I got an email and i havent been a customer for over 3 years. Where did it say they werent?

          • [Deactivated] on 30/09/2022 - 18:35
            +1

            @8azinga: I haven't gotten one and I was a customer 2 years ago.

            • 8azinga on 30/09/2022 - 18:36

              @[Deactivated]: That may be because none of your data was compromised so no email

              • [Deactivated] on 30/09/2022 - 18:41
                +1

                @8azinga: My account was in the compromised account range, so that's unlikely.

      • AndyC1 on 30/09/2022 - 13:25
        +2

        They are only contacting people with an account number that starts with a "6". if it starts with a different number you need to contact them and go through a waiting game as they cannot check, even though the account may only be 3 or 4 years old.

        The way Optus is handling this is very bad.

        • nismo on 30/09/2022 - 14:58

          what about people whose data got compromised and don't even have a ****ing account?

          • AndyC1 on 30/09/2022 - 15:25

            @nismo: Where they historically an Optus customer (includes GOMO)?

            • nismo on 30/09/2022 - 15:45

              @AndyC1: I put an order in for a tablet + sim deal this year, order was cancelled and I got nothing, but Optus retained my details and they were compromised in the breach.

              Otherwise I am not a customer & don't have an account to login to.

              • AndyC1 on 30/09/2022 - 15:54

                @nismo: You have an account as you ordered something and were an Optus customer in order to order the tablet. Just because the order was cancelled does not mean your account was deleted. Companies do not delete your account once created as the assume right or wrong that you may order in the future ans therefore it is easier if they keep the account active.

                • nismo on 30/09/2022 - 16:06

                  @AndyC1: You are going in the wrong direction…

                  I do NOT have an account that I can login to. Plain and simple.

                  I am well aware of what companies do and what Optus has done in this case. Otherwise I wouldn't have had my details stolen.

    • ESEMCE on 30/09/2022 - 13:12
      +3

      Instructions about halfway down this page.
      https://whirlpool.net.au/wiki/optus_sept_2022_breach

      On rechecking today it looks like that no longer works.
      At the start of the week it displayed my Driver's Licence Number, but now that's gone.
      Clearly they're tidying up what the API has access to.

      • AndyC1 on 30/09/2022 - 13:26
        +1

        I did it earlier this week and it's got my drivers license number. I saved the two json files so I have a record.

    • pw2002au on 30/09/2022 - 13:14

      I'm in the same situation, can't remember the ID I used. According to the optus bot on the app they will let us know shortly. What shortly means is who knows when.. I suspect they are still trying to figure out all out..

    • Hybroid on 30/09/2022 - 13:15
      +3

      You can see what info of yours they have saved. Follow these steps:

      • azukay on 30/09/2022 - 13:22
        +4

        Doesn't work now, optus has scrubbed the details. So unless you checked a few days ago you won't know from that method now.

        • Hybroid on 30/09/2022 - 13:33

          Just tried it on private browser and still works fine? Anyone else confirm?

          • azukay on 30/09/2022 - 13:45
            +10

            @Hybroid: (As of 30th September 2022, identity document information has been sanitised and no longer shows when looking at the below API endpoints – they now show 'XXXXXX' against indentType and indentValue instead of 'Driving Licence' and license number for example)

            That's on the whirlpool wiki

            Also

            {"documentNumber":"XXXXXXX","documentType":"XXXXXXX","jurisdictionType":"XXXXXXX" is what shows on my link.

            • phillyfresh on 30/09/2022 - 15:32
              +2

              @azukay: You can still see the expiry though or 'validityEnd' which you can convert to date format using the epoch date converter. I did this today and was able to match the date on Optus' records to my drivers license expiry date.

              • Trekky on 30/09/2022 - 21:24
                +1

                @phillyfresh: The date for me doesn't match any of my expiry dates (DL or Passport)

      • BargainsGrabber on 30/09/2022 - 13:25

        I’m getting invalid input at step 4 after editing my contactid from step 2

        • Hybroid on 30/09/2022 - 13:33

          Removed the brackets?

        • ninohax on 30/09/2022 - 13:47

          same invalid input for me as well. Did remove the brackets

      • mrshorty on 30/09/2022 - 13:38
        +4

        any ideas how to get the contactId for those that were ex-optus customers that no longer have a login? Still got the email from optus

        • Hybroid on 30/09/2022 - 13:40
          +1

          No clue unfortunately, sorry.

        • DChan88 on 30/09/2022 - 14:28
          +1

          I would like to know this also, as it has been over 4 years when I was with Optus.

        • CheapGPT on 30/09/2022 - 15:17

          If you remember the email address associated with the account, try to log in with it.

        • G-rig on 02/10/2022 - 05:56

          Just go into the store perhaps

      • productred on 30/09/2022 - 14:09

        yeah, they've sanitised it.. too late though. a few days ago it showed the drivers lic/passport info.

        they still have the other info in plain text, eg: birthdate, gender, address, email…

      • CyberMurning on 30/09/2022 - 14:33
        -2

        wow you have hacked optus. congrat.

      • Benjkmv on 30/09/2022 - 14:43

        I cant see anything related to id for me through this, even masked id or any mention of indent. Does that mean the id is not compromised?

        I am a former optus user.

      • MondaySleeper on 30/09/2022 - 15:40

        I just tried and they have masked some data, email name etc are still visible

    • rmk on 30/09/2022 - 13:16

      Did you use your passport as ID? I did as I don’t have a drivers licence.

    • punkfans on 30/09/2022 - 13:29

      My wife and I both received emails but the wording was different. Hers specifically mentioned passport whereas mine only said ID. Guess I only used drivers licence back then

    • Captain Hindsight on 30/09/2022 - 15:35

      Yeah I wonder too. I haven't been contacted but not even sure they have my new email so wonder how they could.

  • jrt2020 on 30/09/2022 - 13:10

    Anyone applying for this forget travelling for next 4-5 months

    I wonder how passports are issued in 1 day if you pay extra 225$ while others wait for 3-4 months

    • jv on 30/09/2022 - 13:16
      +1

      I wonder how passports are issued in 1 day if you pay extra 225$ while others wait for 3-4 months

      https://thumbs.dreamstime.com/b/man-shaking-woman-s-hand-giv…

    • oziebee on 30/09/2022 - 13:19
      +1

      Money talks

    • MrMoo on 30/09/2022 - 13:26
      +2

      Why? If you have a valid passport you can still use it.

      If you didn't have a valid passport you wouldn't be travelling anyway.

    • rmk on 30/09/2022 - 13:30

      If it gets close to your departure date you can put a rush on it but it costs you extra. That’s what people had to do when the borders reopened and passports were behind big time.

Login or Join to leave a comment
Login Join