VicRoads will issue almost 1 million new licences to Victorians who had their privacy breached as part of October's Optus hack.
- VicRoads will issue redesigned licences in response to the Optus breach
- A new security number will be printed on the back of the card for identity verification
- An estimated 942,000 Victorians were affected by the October hack
The breach affected up to 9.8 million current and former Optus customers who had personal details such as passport and licence numbers stolen in the hack.
VicRoads said data obtained from the Department of Home Affairs confirmed that 942,000 Victorian licence holders had their details compromised as a result of the Optus data breach.
The government will now issue redesigned licences with an additional security number on the back, similar to card verification value (CVV) codes used on credit and debit cards.
"By the end of the year, these customers will use both their licence number and card number to prove their identity for services like opening bank accounts, loan applications, phone contracts and real estate transactions," VicRoads said on its website.
About 342,000 Victorians flagged as directly affected by the Optus breach will receive their new cards by the end of the year, while the remaining 600,000 identified by the Department of Home Affairs can expect their cards by the first quarter of 2023.
While new cards will be provided to the licence holders caught up in the breach, the security measures will become standard from November 2022 for all new and replacement licences.
"The Victorian government will work to progressively implement this additional protection for all 5 million Victorian licence holders once the rollout for those impacted in the Optus data breach is completed," VicRoads said.
Cybersecurity expert Simon Smith said this was "not good enough" and all licences needed to be moved to the new system.
He said some Victorians would be waiting 10 years, as this is the maximum time a licence is valid.
"For the system to have any purpose, there needs to be both replacement of all Victorian licences by a set date and centralised enforcement, protection and validation of the verification data on an ongoing basis," he said.
He also cast doubt on implementing a verification number as a security measure.
"What good is a verification number if it too is stored with the data that gets breached? It certainly is not a form of 2FA," he said.
"It is not really specified how the main database will be protected, how validations will occur for existing companies, and how mismatches and existing licences holder queries will be treated."
The government said it would seek reimbursement of costs from Optus for the replacement of the licences.
VicRoads said it was in discussions with Medibank to understand if Victorian driver's licence data had been part of their breach, but said it did not have any confirmation that any Victorian driver's licences had been exposed.