Optus data breach: customers yet to be reimbursed for passport replacements
The federal government has not yet finalised a process with Optus for customers affected by its recent data breach to have their passports replaced for free, with no victims yet having their costs reimbursed nearly a month on from Anthony Albanese’s public demand.
The Department of Foreign Affairs and Trade says about 100,000 passport numbers were released in the Optus breach but that customers do not actually need to replace their passports, citing crackdowns on the use of those documents for identity verification processes.
But despite the federal government hailing Optus’s agreement to replace passports as a win, the telecommunications company cannot say when or how it will start to repay fees for customers who choose to get a new one.
“This process is currently being finalised and we will update customers ASAP,” an Optus spokesperson told Guardian Australia.
Following the release of thousands of customers’ data in the wake of the September breach, Albanese and the foreign minister, Penny Wong, publicly asked Optus cover costs of replacement passports.
“I seek your earliest confirmation that Optus will cover the passport application fees of any customer affected by this breach whose passport information was disclosed and who choose to replace their currently valid passport,” Wong wrote to the Optus chief executive, Kelly Bayer Rosmarin, on 28 September.
The foreign minister raised concerns that passport information could be “subject to exploitation by criminals”.
The federal opposition had asked the government to waive fees and expedite applications for customers requiring new passports. In parliament, Albanese said “we believe that Optus should pay, not taxpayers”.
Sign up to receive an email with the top stories from Guardian Australia every morning
Two days later, Albanese said Optus had agreed to his request, saying its acceptance was “entirely appropriate”.
Nearly a month on, Dfat said Optus had advised that about 100,000 passport numbers had been released in the data breach and that affected customers were being contacted by the company.
But despite concerns raised over crime, the Dfat spokesperson sought to allay fears.
“These passports are still safe to use for international travel and passport numbers cannot be used to obtain a new passport,” they said.
“As a result of the government’s response, customers impacted by this breach will not need to replace their passports.”
The spokesperson said that, in a bid to thwart identity crime, the Department of Home Affairs had blocked the passport numbers of those affected from being used in the federal document verification system (DVS) – the framework that checks identity documents before granting access to government or financial services.
“Customers who need to have their identity checked using the DVS should consider using alternative credentials, or speak to the service provider asking for identification for other options, such as presenting the passport inperson,” they said.
“Customers may still wish to replace their passport, but due to unprecedented demand they should not apply for a replacement if they need it to travel soon.”
For customers still wishing to get a new passport, Dfat reiterated that Optus would reimburse costs but that people would need to pay the fees upfront and seek reimbursement.
However, Dfat was not able to outline how reimbursement can be sought. Dfat said the company was still “formalising its reimbursement process” and recommended customers contact Optus.
An Optus spokesperson also noted that government advice was that passports did not need to be replaced.
“If some impacted Australian passport holders choose to replace their valid passport then we will reimburse the replacement cost,” they said in a statement.
Optus could not immediately provide any further information on the reimbursement process. The company would also not confirm whether it would only pay for standard processing fees of $308 for 10 years or if it would also cover the extra $225 for priority processing of passports.
Optus could not confirm whether any data breach victims had received reimbursement for passport fees yet, but Guardian Australia understands no customers have been repaid.
It’s understood Optus’s deliberations on the reimbursement process include concern over whether all affected customers would apply for a new passport, despite government advice that it was not necessary, in order to avoid paying their own replacement fees.
Asked about its investigation into the Optus data breach, an Australian federal police spokesperson said the agency “will not be providing further comment, as investigations remain ongoing.”