An anonymous hacker, ransom threats on the dark web, 9.4 million Australians compromised, a government that disagrees with your approach and a business scrambling to make amends.
It's the nightmare scenario for a company like Optus.
The nine days since the largest breach of its kind was announced have been filled with confusion as Optus has struggled to explain to customers who is affected and how.
Around 10,000 Australians have already had their private information release on a dark web forum by the hacker, who later deleted the post.
The AFP launched Operation Guardian on Friday to investigate their leaking.
Kathryn Gledhill-Tucker, a Nyungar technologist and the vice-chair of digital rights profit Electronic Frontiers Australia, says an attack like this shouldn't have come as a surprise.
"We talk about data breaches as not if it happens, but when. Certainly, this scale of data breach is unprecedented and absolutely it could have been avoided and the response has been kind of messy," she said.
The cost, the stress and inconvenience will likely be felt beyond Optus and its customers in ways the experts are just starting to define — perhaps even over international borders.
For Gledhill-Tucker, one thing at least is very clear.
"Customers, not the company, are the real victims of a massive data breach," she says.
This goes beyond Optus
If we start unpicking a data breach of this scale, the potential damage is staggering.
As the dust settles after the first week with millions still waiting to see how they're directly affected, the blowback will likely go beyond Optus and its customers into the way all Australians carry out their personal business for months to come.
With up to 9.4 million records of Australians' sensitive personal data potentially compromised, services we've taken for granted, such as applying for credit or proving our identity online, might be slowed down or stopped.
Licensing authorities and the passport office — which had already been facing huge delays — will be jammed with replacement requests.
The 100-point identification system — the mainstay of applying for anything from a rental to a credit card to a police check — has been undermined.
Cyber security expert Jeffrey Foster says it is what's been stolen that makes the impact so huge, with scammers potentially not needing anything else from victims to strike.
"If you want to look online, get yourself a new credit card, as people do on a regular basis, you just need to be able to have identifying information about yourself — exactly what was leaked here," he says.
"So it's an extremely low bar, meaning [the hackers] don't even have to tie any additional information to you from previous leaks or go trawling through your social media to find information about you."
Kathryn Gledhill-Tucker says the impact on identity regulation is hard to predict, but could be long-standing.
"I expect a lot of banks and those kinds of financial institutions are going to be extra vigilant for years as well if you can't trust 100 points of verification processes," she says.
Consumer data advocate Kate Bower from CHOICE says this has created a big problem for banks and financial institutions — in fact, anyone with payment systems.
"It's going to be a much, much stronger burden on them to be able to identify potential fraud, potential identity theft on their systems," Bower says.
"The ripple effect through Australian businesses and potentially even globally, is quite large and unknown, really, at this point."
Jeffrey Foster says it's not just Optus that will be counting the cost.
"These are the knock-on effects of when you have a third of the country feeling some fear.
"When you call your bank, the amount of everyday value that it's going to cost that bank is around $40 for every phone call they get," he says.
"So you're going to start getting a lot of those emails from companies who essentially want to assure you that your stuff with them is safe.
"They don't want 5 million phone calls and having to field those for people who don't know, because there's been no communication."
Mr Foster says that for licensing authorities — regardless if Optus pays for licence replacements for some or all affected customers — it's a cost burden that will be picked up by taxpayers.
"They're still fielding phone calls day-in, day-out right now from people who want to know information, and it's costing the taxpayer money to do that."
It started with a press release
But for now, of course, the Australians facing the biggest headache are those whose data has been stolen or already leaked.
For them, the first they heard about the breach wasn't from the company: it was in the media, after a press release went out last Thursday — the national day of mourning for the Queen.
Nine days later, many Optus customers are still waiting to hear if they've even been affected at all, Kate Bower says.
"This is a telecommunications company. If any business should be good at communicating with their customers, it's the one that owns all their phone numbers, right?
"It's absolutely outrageous that they haven't been able to get the message out to customers quickly to enable them to protect themselves," Ms Bower says.
Optus explained its decision in its FAQs: "We did this as it was the quickest and most effective way to alert as many current and former customers as possible, so they could be vigilant and monitor for any suspicious activity. We are now in the process of contacting customers who have been impacted directly."
But communications expert Nicholas Grech says that path would have missed many customers who aren't watching the news.
"There are entire segments of their customer base that may have never read or will never read traditional news. A lot of Gen Z customers, in particular, or some of their teenage customers, there's no way for them to have been aware of what happened," Mr Grech says.
"The first few hours of a crisis is really the most important part.
"You've got to get that effective strategic communication out very quickly," he says, adding that direct messages would also have helped spread the information via word of mouth.
Waiting game for customers
While all of this is playing out, Optus customers have been wondering what to do next: were their details hacked? Were they released publicly already? How can they proactively stop the risk of damage?
Unfortunately, there's no clear answer.
Jeffrey Foster says we are still flying blind.
"Customers still don't know which of their documents, or if their documents were taken, or which ones and we're still waiting to find that out," he says.
"That's coming supposedly within the next couple of days, but it should not be this long.
"For the 10,200 people whose information has already leaked, it's extremely problematic. For the rest … about a third of them had at least one document leaked. We don't know which one — at least — for them."
Ultimately, one question many Optus customers will want answered is how the company will compensate them for the damage done — not just via paying for replacement documents, but for the stress and administration burden placed on them.
"This has been a huge stress to people as well, and particularly if you've previously been a victim of identity theft," Kate Bower says.
"It can be really distressing, there is an emotional cost and a labour cost as well.
"Potentially millions of people have just had a week of anxiety and worry and life admin things that they didn't plan on doing. I do think that compensation would be fair."
What's next for Optus?
It's still early days to see how much this crisis will affect Optus's business and in which ways — from consumer class actions, the total cost of licensing and passport replacements, any fines issued, and how big the reputational damage will be for the country's second biggest phone network.
The bill could reach an eye-watering amount, especially if customers start leaving.
Kathryn Gledhill-Tucker says the company is getting off lightly, compared to what the consequences could be in other jurisdictions.
"If we were in the EU, for example, and Optus needed to be compliant with the GDPR [General Data Protection Regulation] then they would be looking at a fine of up to 20 million euros ($30m) or 4 per cent of their annual turnover, whichever is greater, which would have been enormous and that's separate to the issue of damages as well for individuals," she says.
"Without that, the real consequences in Australia are going to be significant reputational damage, which isn't nothing, and an exodus of unhappy customers
"But other than that it's people and individuals and customers who are really having to clean up after this mess. They're the ones who have to make proactive changes to protect themselves from identity fraud, to scramble around trying to figure out what the blast radius is going to be and that's totally unfair."
Jeffrey Foster agrees, saying the lack of good data regulation laws means the penalties for corporate breaches don't measure up.
"We just don't have good data regulation laws, and even the penalties for failing to meet what little regulation laws we have, the maximum penalty is around $2.2 million ... for a small business, that would cripple them, for Optus that's nothing," he says.
It doesn't stop with one company
Other businesses will be watching on as Optus's worst-case scenario plays out.
Contingency plans will be dusted off to see how they would cope with a similar attack.
Kate Bower says many of them will be wondering if they have centred their customers in an appropriate way.
"Often what you'll see happen in this situation is a communications reputation response and you might get an internal response by their cybersecurity teams and the IT teams, but you're not getting a kind of a customer-centric, consumer-facing response," she says.
"This will be a good wake up call for a lot of businesses to start focusing a lot more on their customer service."
That means, too, that they'll be looking at how much data they keep on file and if they really need it.
"Really, this problem starts at the source which is the rampant data collection from businesses and the way that that data is stored securely," she says.
"Now is the right time to be asking the question: how much data should businesses be allowed to hold or to collect and then if they do collect it, how long should they be holding it for?"
What's next for Optus?
After a bumpy start, Nicholas Grech says Optus are making better use of their mobile network to reach out to people, along with emails.
"Consistent transparent communication is the key now across the right channels to reach the right people. So just making sure that they're transparent with everything that's happening with the customers because this is a big breach for people — the fact that our driver's licence numbers might be publicly available on the internet — is scary for a lot of people," he says.
"Optus needs to just ensure that they're transparent about what they're doing to help solve the problem, and they're consistently communicating through the right channels and with the right spokespeople from the organisation."
This means, Mr Grech suggests, having staff with the right expertise — such as a chief technology officer or a chief security officer — help communicate their message, not just relying on spokespeople.
But better communication is just the start. Customers will be looking for the telco to make amends for what has happened and to show they're prepared to do what it takes to rebuild trust.
"What needs to happen now in order to restore that trust is that Optus really needs to take ultimate responsibility for what's happened," Ms Bower says.
"So even if there is some kind of finding from AFP that there were criminal actors involved, ultimately Optus is responsible for the remedies and the reparations that are due to customers."