I knew from reports that Optus had begun working with governments and that new details would come to light, and at least this email gave some specificity (i.e. “Medicare number” and not just “some combination of details from your passport, driver’s license or other ID document”).

Loading

Then again, I also knew that for many other people this would be an alarming development. First they say it’s not so bad, and now they say it’s worse? What else have they yet to find out? Do criminals have my Medicare card now, and what can they do with it?

Medicare numbers on their own aren’t very helpful to crooks; you generally need your reference number and expiry date, too. Plus, I was fairly confident my current Medicare details are completely different to what Optus would have had on file.

Optus suggested in the email that I get a replacement Medicare card, which I know from experience is annoying; everyone on your card has to rely on digital versions on their phones for a few weeks while you wait for the replacements.

But it will be much worse for anyone whose current passport number has been exposed, especially if they’re expecting to travel any time soon.

Now that I was in the higher risk category, Optus offered me a 12-month subscription to Equifax Protect, but I was left to do my own research about what this was. Heading to the cited website (there was no link, so Optus passed that test) and entering the cited unique code, I was immediately asked by Equifax to provide them with 100 points of ID, which I didn’t particularly feel like doing given the context of the situation.

Still, for anyone who might have a full set of their current details plus 100 points of ID out there on the internet, a monitoring service like Equifax’s could be the only way to get a heads-up on attempts at identity theft.

I don’t think it’s necessarily a knock against Optus that it took more than a week to tell me one of my ID numbers had been exposed. There’s an awful lot of sensitive data to comb through, millions of people to inform, and you want to take the time to get it right.

But reading back over the emails and trying to imagine I wasn’t someone who had to think about this stuff as part of their job, I’m struck again by how much of the stress, worry and work of the fallout seems to have landed with the customers here. From trying to work out what data was actually exposed and how dangerous it could be, to organising replacement IDs, applying for Equifax and figuring out if there are other mitigations you need, it’s an unwelcome headache even for the most tech-savvy among us.