Australian telecom giant Optus has said that nearly 2.1 million of its customers suffered a leak of their personal information during the data breach the company suffered late last month.
The company made the announcement on Monday, confirming it had employed Deloitte to lead a forensic review of the cyber–attack.
Singaporean telecommunications conglomerate Singtel, which owns Optus, also confirmed the affected customers had at least one number from a current and valid form of identification, and personal information, compromised.
“In addition, approximately 900,000 customers have had numbers relating to expired IDs compromised, in addition to personal information,” Singtel wrote.
At the same time, the company confirmed the exposed information did not contain valid or current document ID numbers for some 7.7 million customers.
“We’re deeply sorry that this has happened and we recognize the significant concern it has caused many people,” Optus CEO Kelly Bayer Rosmarin said in a video message to customers.
“While our overwhelming focus remains on protecting our customers and minimizing the harm that might come from the theft of their information, we are determined to find out what went wrong.”
According to Rosmarin, the review will aid Optus in understanding how it occurred and how the firm can prevent it from happening again.
“This may also help others in the private and public sector where sensitive data is held and risk of cyber–attack exists,” she added. “I am committed to rebuilding trust with our customers, and this important process will assist those efforts.”
The security incident affecting Optus involved a malicious actor gaining unauthorized access to customer information. At the time of writing, it is unclear how or when the intrusion occurred.
Still, the Australian Federal Police (AFP) warned last week that some phishing and smishing attacks are already targeting Optus customers.
“There are reports that sophisticated scammers are contacting Optus customers via phone, email and text to get further personal information from the victims of the breach.”
More recently, a BreachForums user claimed responsibility for the attack and said they had deleted the only copy of the stolen data.