In 2019, Georgia realised $7,000 was missing from her bank account.
She rang her bank immediately and spent hours on the phone, trying to understand what had happened to her money.
Eventually, they figured out that a woman had visited one of the bank's branches with a copy of Georgia's drivers licence and Medicare card.
The woman, who was pretending to be Georgia, had told bank staff she was facing a crisis and needed to access the money in Georgia's account.
"They knew my account number, they knew enough that they [the bank] just handed the money over to them. I guess that's human error at its finest," Georgia said.
She now knows that her personal data was stolen from her real estate agent.
But for the past three years, the issues stemming from the theft of Georgia's identity have continued.
"I've had multiple bank accounts opened in my name … I've had two debts from buy now, pay later accounts and actually had debt collectors sent after me for those, I had a fraudulent tax claim made," Georgia said.
Now, Georgia is one of almost 10 million people caught up in the Optus data breach.
She said she wasn't surprised when the company informed her that her data may have been compromised.
"I knew it was coming … but yeah it comes through and you're like 'great, here it goes again'," she said.
'No real requirement' for companies to delete data
The Optus data breach included the names, dates of birth, email and postal addresses, phone numbers, Medicare card numbers, passport numbers and drivers licence numbers of many of their current and former customers.
It's the kind of information some companies use to prove a customer's identity when signing contracts.
As the fallout from the data breach continues, new questions around the effectiveness of Australia's privacy and cybersecurity laws are being raised.
There have been calls for new laws to prohibit companies from engaging in unnecessary data harvesting, as well as more severe penalties for companies that fail to protect customer data.
The federal government has signalled it wants new legislative reforms to focus not just on harsher penalties, but on capping how long personal data is kept for and whether the data needs to be kept at all.
Jeffrey Foster, an associate professor in cyber security studies at Macquarie University, said in some cases the stolen information in the Optus case would be enough to apply for credit in the victim's name.
Dr Foster said under current laws, telecommunication companies were required to keep data for several years, even after people were no longer customers of the company.
"There's a lot of data in there and we don't really know what information needs to kept or doesn't need to be kept," he said.
"There's no real requirement for them to delete your data after you're no longer or customer or after a minimum period of time."
He said laws in the European Union required companies to remove data after certain periods of time and give customers the ability to request the deletion of their data.
"We don't have those rights within Australia for data. Companies can hold on to your data and you have no right to deletion," he said.
Expert warns of rise in scams
Dr Foster said another likely consequence of the data breach was a boom in targeted scams.
He said he had already seen scammers pretending to be the hackers behind the Optus cyber attack, contacting people and offering to delete the information for a payment.
"There's a third of the country that now believes their documentation has been stolen, their identity has been stolen, and that makes all of us easy targets for scam calls," he said.
Dr Foster said people whose documents had already been leaked would be contacted by scammers "incessantly."
"[Scams] will increase throughout the population in the coming days and coming weeks. Even the general ones … to people whose data hasn't been leaked yet, scammers will take advantage of the fact that we're in a confusing situation," he said.
"It puts everybody on edge and in a bit of a vulnerable state throughout the country."
He said the first thing people should do to protect themselves from scams and identity theft was to change their passwords on their most sensitive accounts, such as bank and superannuation.
Even though Optus has said passwords weren't released in the hack, Dr Foster said many passwords had already been compromised anyway, and combined with the newly stolen data, could become a treasure trove for criminals.
He also suggested people set up two-factor authorisation, which provides an additional layer of protection above a password, like a phone code or touch ID.
He said people who were very concerned could ask credit agencies to lock their credit report so no lines of credit could be issued in their name.
"It helps lock it up, [but that] also makes your life difficult if you need credit," he said.
"So if you're looking to apply for a home loan, or buy a new car or actually go get a new credit card, having your credit locked is a problem so you've got to take the good with the bad in there."
People would have to supply identity documents to the agencies to have the credit lock lifted.
'Protect yourself before it happens'
Georgia encouraged people to be proactive about their online security.
"Do what you can to protect yourself before it happens, because once it happens there's no going back," she said.
Georgia said she lost large amounts of money by having to take time off work and travelling interstate to replace her identity documents.
But despite that, she feels lucky.
"I can speak English and I'm technologically literate and I know who to call and how to use a computer and the internet," she said.
"One of the biggest things for me was always thinking, this sucks, but I can deal with this … I can't image how hard it is for people who can't deal with this sort of stuff."