The ACT government is working out what it will do to issue replacement driver licence cards to territory residents who have both their licence numbers and card numbers compromised in the Optus data breach.
Optus customers had earlier expressed frustration with the ACT government after they were told they could not change their information after the breach, which an expert has called "shockingly irresponsible".
The ACT government said it was working with other states and territories to assess the scope of the information that had been compromised in the data breach, and that it had set up a dedicated team to respond to affected Canberrans.
Services provided to the territory by Optus are not affected by the data breach and government account holders with Optus have not had their information breached.
"However, the ACT Government's current understanding is that personal Optus account holders' information, including driver licence numbers, have been compromised," the government said in a statement on Tuesday evening.
Canberrans are able to replace their driver licence card for $42.60, which will mean they are issued a new card number.
Modern identity systems generally require both a card number and licence number; the licence number does not change except in exceptional circumstances, while the card number changes each time a licence is issued.
Access Canberra said it understood the significant majority of cases affected in the breach contained driver licence numbers but not card numbers.
"If you have been notified by Optus that a data breach may have exposed your licence details, but no fraud has taken place, Access Canberra is able to replace your licence card, but not the licence number," Access Canberra said.
Driver licence numbers can be changed when there is evidence of fraud or identity theft.
The government said it would issue another update in the next 24 hours.
Optus customer Jackie, who called Access Canberra, and tried to change her driver licence number that she had given the telecommunications company when she signed up, was told the number could not be changed.
"Frankly, I am pissed off," she said.
Jackie also contacted her local Legislative Assembly member Mark Parton and Business and Better Regulation Minister Tara Cheyne, who were also unable to help.
A spokesman for Ms Cheyne told Jackie "all ACT driver licence cards have not only a driver licence number but also a unique 10-digit card number displayed on the card which changes each time a card is produced and reduces the ability for the card to be fraudulently used, such as in the case of a third-party data issue".
Jackie said she has spent the last few days removing unnecessary accounts and personal information from the internet and is now "very hesitant to provide my information, even for legitimate purposes".
How did this happen?
Vanessa Teague, chief executive of Thinking Cybersecurity and an adjunct associate professor at the Australian National University, said cyber security researcher and writer Jeremy Kirk from ISMG Corp reported the data had been stolen from an unauthenticated application programming interface.
An API is "basically a server that responds to queries without checking that the person making the queries is legit".
She said "if that's true, it would be shockingly irresponsible and in fact, it almost doesn't qualify it or almost wouldn't be characterised as hacking".
"Because if all the person did was query an endpoint that was left open, it's almost like they just asked questions that should never have been answering."
What can be done with your information?
Ms Teague said personal document numbers are the most concerning information stolen as they are needed to open bank accounts and commit financial fraud.
Jackie said she is "really distressed because I was in the group that had lost the license number ... it's the fact that the license number is gone that really upsets me and gets these criminals a bit closer to being able to commit an identity theft action against you."
What can you do to protect yourself?
Ms Teague said the ACT government allowing people to change their diver's licence number would help prevent fraud, but also believes Australia needs to rethink security laws.
"This is a regulation by the federal government that demands providers of a telecommunications service acquire hard digital identification, or certain non-digital identification documents before they provide phone collections.
"So we've chosen to do this. We didn't have to choose to do that. There would be plenty of countries in which the telecommunications providers simply didn't have all of that identity documentation that can be so easily used for identity theft in the first place."
She said people should write to their local Members of Parliament to ask for reform to data retention and surveillance laws.
Ms Teague also suggested the Australian government create a better digital ID scheme "so that we can identify ourselves online without flashing passport numbers all over the internet."
"It's a bit of a horse has bolted situation now. So there's not a lot that can be done now and it's important to understand that there are going to be bad consequences, because the breach has already happened," she said.
If you are concerned that your information may have been included in the recent Optus data breach, check the Optus website for information and contact Optus via the My Optus App or call 133 937.
Support is also available via IDCARE, Australia's national identity and cyber support service. You can contact IDCARE for free support on 1800 595 160 or visit idcare.org. They also have a fact sheet available here.
We've made it a whole lot easier for you to have your say. Our new comment platform requires only one log-in to access articles and to join the discussion on The Canberra Times website. Find out how to register so you can enjoy civil, friendly and engaging discussions. See our moderation policy here.