Optus customers told they would not need a new passport after their documents were compromised in the recent data breach have now been notified that they can no longer use this document for online identification.
Daniel Reeders, whose passport was one of more than 100,000 exposed in the Optus hack, had been told that all was well and he did not need to start the process to receive a new passport.
However, late Friday he was informed he would no longer be able to use his passport online as identification.
The Sydney health promotion practitioner does not drive, so his passport was his main identification document. But Optus asked the federal government to block exposed passport numbers from being used in the national Document Verification System.
The DVS was used for government departments, granting access to health and welfare payments, and for banks and other institutions.
“I was so angry that Optus took that action without consulting the people affected,” Reeders said.
“If they’d asked me, I probably would have taken the chance with someone using it … I wouldn’t have cut off my only identification.”
More than three weeks after Optus revealed a massive cyber-attack had put about 10 million customers at risk, the ramifications have continued to ripple.
My passport number was included in the #OptusHack.
— Daniel Reeders 🏳️⚧️ (@engagedpractx) October 14, 2022
Without asking me, @Optus has blocked me from using my passport to verify my identity.
I don't drive; my passport is my primary identification document. I am not happy, Jan. pic.twitter.com/ELWXd21Bzk
Optus said valid passports would be blocked from the DVS for three years past their expiry. There were “specific circumstances” where customers would be reimbursed to replace their passports, but that process was yet to be formalised.
The Australian Passport Office said the move would “safeguard customers’ personal identity information online”.
“Once a customer’s Australian passport has been blocked through the DVS, they can still take their passport physically with them to an institution or establishment as proof of identity,” it said.
The alleged hacker took names, birth dates, phone numbers, addresses, passport, healthcare and driver licence details.
In the confusion and panic after the attack, people queued to replace their compromised documents, and the government has now ramped up its efforts to tighten up privacy laws.
The prime minister, Anthony Albanese, said Optus should pick up the tab for new passports, and Optus has said it would pay for replacements.
On Friday, the Optus chief executive, Kelly Bayer Rosmarin, said the right safeguards had been put in place so that “no customer who had a passport number exposed” needed to get a new passport.
But their existing passports would now no longer be accepted online for crucial administrative tasks.
The Department of Home Affairs created a register so that “compromised identities” would not be used fraudulently. It does that by stopping them being verified through the DVS.
“However, this means rightful owners will not be able to use them online,” the department said in a statement.
“New credentials issued following the data breach will work as normal.
“In the interim, impacted individuals should consider using alternative credentials or speak to service providers that ask for identification for other options, such as visiting the service in person to present the credential.”
Reeders has now switched telcos, and accused Optus of “bad faith”.
“It was sneaky dropping that in my inbox at 4pm on a Friday,” he said.
“[They were] taking out the trash.”
Guardian Australia has contacted the home affairs department for comment.
