With millions of identity documents exposed in Optus’ data breach, many Australians now need to replace their cards and passports to make sure they can’t be used by criminals for fraud and theft.
And with the Prime Minister confirming on Friday that Optus, and not taxpayers, would foot the bill for at least the new passports, just how big a bill could Optus end up with to clean up the mess?
Estimating these numbers requires a healthy dose of assumptions and guesswork, given the lack of solid details on what data was stolen. It’s believed up to 9.8 million Australians had their personal data compromised in the breach, but only 3 million or so had identity documents like passports or drivers licences exposed, and 37,000 Medicare numbers.
It’s impossible to tell at this point how many individual documents Optus would have to pay to replace, especially given some people would have only had a passport or a licence exposed and not both, and some of the data will likely be out of date. But let’s assume an extreme outcome where the telco had to pay to replace 3 million passports, 3 million drivers licences and 15,000 Medicare cards (22,000 of the exposed numbers were expired).
Licences are easy to calculate, as they cost an average of around $27 to replace depending on your state, assuming it wouldn’t cost extra to change the numbers and assuming Optus couldn’t arrange some kind of bulk discount, the final price tag lands at $81 million.
Passports are a bit trickier. They usually cost $193 to replace, but can be free in certain situations, so it’s unclear what the actual cost of replacement would be in this scenario. So at maximum that’s $580 million, but in all likelihood it would be much lower after Optus works the issue out with the relevant department, and you subtract the customers whose passport information was not included or was out of date.
Then we have the Medicare cards, which consumers are generally not charged for replacing. So assuming Optus would pay for these at all we have to pull a number out of the air and guess a $20 replacement per card, making $300,000 for the lot.
All that considered, in this extreme hypothetical scenario, it would cost Optus up to $661.3 million to replace everyone’s documents.
Optus has offered affected customers a free 12-month subscription to credit monitoring service Equifax. That costs $14.95 a month, so if 2.8 million customers accepted the offer, it could potentially add $502 million to the bill.
Optus’ parent company Singtel made a profit of $2.1 billion for the year ended in March.
But that’s just covering the fees, and those affected by the breach would still likely be inconvenienced in other ways.
Medicare cards often take a month to arrive after they’re sent out for example, meaning people would need to rely on digital versions on their smartphones in the interim.
Passports production is already delayed thanks to a post-pandemic travel rush, in some cases taking more than three months, and things are unlikely to improve once Optus places its order for 3 million more.
And then there’s the fact that the entire application and fulfilment process is likely to be an administrative nightmare. Criminals are already sending out fraudulent emails asking people to enter their details and apply for replacement documents and compensation from the Optus breach, making any legitimate attempt to validate people’s identity a complicated exercise. Meanwhile, there’s the real possibility that some of the people affected have their details floating out there in the dark web, with identity thieves just waiting for a chance to strike.
Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.