Optus and Medibank Breach — What Affected Australians Must Do Right Now

The Optus and Medibank data breaches collectively exposed the personal data of over 15 million Australians. While these breaches occurred in 2022, the stolen data continues to circulate on criminal markets in 2025-2026 and is being actively used in targeted fraud attempts years later. If you have not yet fully addressed the consequences of your data being exposed, here is what to do now.

If Your Data Was in the Optus Breach

Optus exposed names, dates of birth, phone numbers, email addresses, and for approximately 2.1 million customers, driver's licence or Medicare numbers. If your identity documents were exposed: apply for a replacement driver's licence through VicRoads — this is free for Optus breach victims. If your passport number was exposed, consider whether your specific circumstances warrant applying for a new passport through the Department of Foreign Affairs (a fee applies). Place a credit monitoring alert on your credit file with Equifax, Experian, and illion. Change passwords on any account using your exposed email address and enable MFA.

If Your Data Was in the Medibank Breach

Medibank exposed health claims data for over 9.7 million people, including in some cases highly sensitive information about mental health treatment, addiction services, and other procedures. Monitor your email and phone for targeted scam attempts that reference your health information — these attempts have been documented and reported to police. The stolen data is still circulating and being used years after the breach. If you receive any contact that attempts to use your health information to coerce or embarrass you, report it to police and to the OAIC.

General Actions for All Affected Australians

Check your personal email at haveibeenpwned.com to see which breaches have exposed your information. Enable MFA on all important accounts — email, banking, myGov, social media. Use a password manager to maintain unique passwords for every account. Check your credit report for any accounts or enquiries you do not recognise. Contact IDCARE (idcare.org or 1800 595 160) for specialised, free support if you believe your identity is being misused. And remain vigilant — the data from these breaches will continue to be used for years. Targeted phishing, impersonation scams, and identity fraud that reference your real personal details will continue long after the public attention on the breach has faded.

The Data Is Still Being Used

One of the most important things to understand about major data breaches is that the stolen data does not have a use-by date. The Optus and Medibank breach data continues to circulate and be used in 2025-2026 — years after the incidents occurred. Criminals who purchased the data may hold it for months or years before deploying it in targeted fraud. This means that if you have not yet taken action to protect yourself following these breaches, it is not too late — the risk is ongoing. Enable MFA on your myGov and email accounts today, and check your credit file for any activity you do not recognise.

If You Are Experiencing Identity Fraud

If you believe your identity is being actively misused — fraudulent accounts opened in your name, attempts to access your financial accounts, or targeted scam attempts that use your personal details — contact IDCARE on 1800 595 160 for specialist, free support. IDCARE works with victims of identity crime and data breaches and can help you develop a response plan and work through the recovery process. Document everything and report to the OAIC and to police if you are experiencing ongoing harm.

The IDCARE Resource

IDCARE is Australia's national identity and cyber support service — a free, specialist resource for Australians affected by data breaches and identity theft. Unlike generic cyber security advice, IDCARE provides personalised guidance based on exactly what information was exposed in your specific breach. Their case managers — trained in identity recovery — can help you understand your specific risks, prioritise your response actions, and navigate the process of restoring your identity if misuse has occurred. You can reach IDCARE at idcare.org or by calling 1800 595 160. If you have been affected by the Optus, Medibank, or any other data breach and have not yet contacted IDCARE, it is not too late — their support is available to breach victims regardless of when the original incident occurred.