The WA government says it's looking at all options to safeguard West Australians' identities, after concerns were raised they have been left uniquely vulnerable by last week's cyber attack on Optus.
That's because while every other state allows for driver's licence numbers to be changed in situations like this, WA does not.
It was a lesson Stuart Spouse learned the hard way a few years ago, after he got a phone call to say his driver's licence and Medicare card were being used in Sydney to buy a SIM card, when both were in his pocket in London.
The situation was eventually resolved by the company, which did not give the scammer a SIM card, and he was able to have his Medicare number changed.
But the threat of his driver's licence being used by criminals still hangs over his head because the card in his wallet still bears the same number swirling around the internet.
"It's a bit ridiculous to me," he said.
"If you can't change your licence number, how many times can that be used?"
'Big concern' West Australians left behind
It means scammers still have a so-called "golden ticket" to use Mr Spouse's information, because of the myriad ways driver's licences are used to verify people's identities.
Cyber security expert Caitriona Forde said the biggest risk was scammers taking credit out in people's names, without their knowledge.
"What the cyber criminals do is go onto places like the dark web and see what information is there about you, to start creating a profile that they can then use against you," she said.
"They can then apply for any type of credit in your name, AfterPay and all those types of services that are available.
"They just use that to basically fraud you out of money."
Ms Forde said it was a "big concern" West Australians were being left more vulnerable than others in this situation.
"The government needs to give us better availability to change some of our documents," she said.
WA government "willing to consider"
In 2019, the WA government said "integrations with other state government record systems" meant the Department of Transport was completely unable to change driver's licence numbers.
They said a review of that position would be completed as part of implementing a national agreement on identity security.
Legislation to implement that agreement came into force in WA in April, but this week Transport Minister Rita Saffioti would only say she had "sought advice from the Department of Transport on the matter and [issuing new licence numbers is] something I'm willing to consider".
In a statement, a state government spokesperson said it was hoping to have further information for affected licence holders today, and would provide an update "shortly after".
"The state government is currently looking at all options to safeguard the identities of Western Australians that have been affected by the Optus data breach," they said.
"The Department of Transport is working closely with [the Department of] Home Affairs and other Australian road agencies for confirmation of WA licence records that may have been affected by the breach."
The opposition's shadow transport spokesperson, Shane Love, said it was time for WA to be able to issue people with fresh driver's licence numbers.
"It's shown that WA is behind the times in terms of being able to take action to protect your own identity," he said.
"If you had that situation, you knew that your driver's licence had been shared inappropriately, then of course you'd want to change it, and people should have that right."
Mr Love said with everything driver's licences are used for, it makes it "quite likely that someone, at some point, might try to use that information".
Historic breach at Landgate admitted
It comes after the WA government admitted its official register of land ownership, Landgate, had also fallen victim to a cyber attack in March 2018, although it was unclear what information was taken.
A spokesperson said the government's cyber security monitoring team advised Landgate of a "historic breach of a limited amount of internal Landgate data" in August 2022.
It's understood the breach relates to information posted on the same website that the Optus breach was posted to.
A user on the site claimed to have around 125,000 emails from Landgate, which they said were taken in March 2018.
"The compromised data contained internal Landgate email addresses and system logs," the government spokesperson said.
"It did not contain any personal information, nor credentials."
The spokesperson said an investigation determined the affected data was limited in scope, and current information security practices would "sufficiently mitigate further risks".
"The root cause of the issue had been addressed and resolved by Landgate's cloud service provider in November 2018," they said.