Credential Protection Register: a lifeline to victims of identity crime
In September 2022, Optus announced that it was subject to a data breach, exposing the personal details of millions of individuals and businesses Australia-wide. The details exposed in this attack included important identity documents such as passports and driver licenses.
In exposing the information of Optus customers, the leak also exposed that the protections in Australia at that time were not adequate in the modern context, and put the affected individuals at a significantly greater risk of criminals using the leaked information and credentials to commit identity fraud. In response to national data breaches, the Australian Government introduced the Identity Verification Service Credential Protection Register (CPR).
The CPR protects individuals whose personal details and credentials have been stolen from suffering additional harm by ‘locking down’ the stolen credentials. It does this by stopping compromised identities from being verified through the Document Verification Service, while still allowing the rightful owners of these identity documents to use them. For example, individuals can still use their Australian passport for travel but criminals are stopped from using their documents fraudulently.
The CPR has blocked over 300,000 attempts to use stolen credentials for fraudulent purposes since it was established in 2022. It helps individuals protect their identity, and stops the sale of personal identity credentials on the black market. It also stops other illegal activities that require stolen credentials, such as scams, money laundering and fraud.
In the 2024-25 Budget, the Australian Government provided an additional $11.0 million over four years to:
- further enhance the CPR to enable Australians to easily protect their identity credentials from being used for identity and cybercrime
- respond to future data breaches
- support and protect victims of identity fraud and theft.
This includes the development of a mobile phone application and secure website that will allow victims of identity theft to be notified if someone is attempting to use their identity, and to act quickly to access services that will protect their identity.
These commitments are part of a concerted effort by the Australian Government to protect Australian identities in the face of rapidly developing technologies and threats.
If your identity credentials have been compromised in a data breach, visit the ID Match Data breach page for advice.
Author: Identity and Biometrics Policy Branch, Attorney-General’s Department