Optus has revealed that over 2.1 million customers have had their ID numbers, including driver’s licences, stolen after a significant cyber attack.
In a statement released on Monday afternoon, the telco confirmed that about 1.2 million of the ID numbers were stolen and an additional 900,000 customers have had numbers from expired documents comprised.
Customers who had their sensitive details stolen in the cyber attack are being contacted by Optus to advise what ID documents have been exposed.
It comes as the telecommunications giant launched an independent, external review of the circumstances surrounding the data hack.
Related: Simon Carabetta of ES2 on navigating the evolving landscape of cyber security
Embattled chief executive Kelly Bayer Rosmarin, who has been criticised for the way Optus has handled the attack, recommended the review to the board which unanimously agreed to it.
Ms Rosmarin said the telco was committed to rebuilding trust with its customers and the review would assist that process.
“We’re deeply sorry that this has happened and we recognise the significant concern it has caused many people,” she said in a statement.
She said the review would help Optus understand how the attack happened and ensure it would not happen again.
International professional services firm Deloitte will conduct the review of Optus security systems, controls and processes.
Cabinet minister Tanya Plibersek said while people had been receiving their bills on time, Optus had not told customers whether their personal details had been stolen.
“One of the real problems is the lack of communication by Optus, both with its customers and the government,” she said.
“It’s extraordinary we don’t have any Medicare numbers or Centrelink numbers that may have been compromised.”
Yet former Minister of Home Affairs Karen Andrews said the federal government’s response to the breach had also been inadequate.
While she did not absolve Optus of its corporate responsibilities, Ms Andrews said the government had “failed quite dismally” in its response.
At least 10,000 parcels of ID data taken in the breach were put on the internet for sale by the hacker but were later taken down.
Cyber Security Minister Clare O’Neil said Optus needed to be up-front about what specific data had been taken, saying the federal government did not know how many passport numbers had been stolen.
On Sunday, Ms O’Neil demanded Optus respond to the government’s request for more information so it could help protect Australians from fraud.
The minister also criticised the former Morrison government, describing laws designed to protect Australia’s critical infrastructure from cyber attacks as “absolutely useless”.
With AAP