The massive cyber-attack targeting Optus customers saw 2.1 million people affected, the telco has confirmed.
Earlier estimates of 9.8 million people – all of Optus’ customers – were considered to be the worst-case scenario.
But after the Australian Federal Police launched a new investigation into the 10,000 people whose data was released by the hacker, Optus has revealed the exact number of personal ID numbers which were compromised.
In a message on Monday, Optus confirmed 2.1 million of its nearly 10 million customers had one form of identification targeted in the attack.
Although, 900,000 are believed to have been expired documents.
The telco also revealed about 50,000 Medicare cards and 150,000 passports had been breached which will likely reignite calls for Optus to pay for replacements.
Most of the exposed cards and passports had expired, Optus said.
Following the breach, the major telco has announced financial services company Deloitte will conduct an external review of the attack.
“This review will help ensure we understand how it occurred and how we can prevent it from occurring again,” Chief Executive Kelly Bayer Rosmarin said.
“It will help inform the response to the incident for Optus. This may also help others in the private and public sector where sensitive data is held and risk of cyber-attack exists.”
The independent audit will be separate to Optus’ cooperation with the Signals Directorate and other branches of the Federal Government to further assess the breach.
Government Services Minister Bill Shorten on Sunday blasted Optus for not providing Services Australia with the details of the up to 36,000 affected customers whose Medicare and Centrelink numbers had been exposed.
Mr Shorten said the government could not protect victims without Optus’ help and urged the telco to show “more initiative”.
“Systemic risk has been injected into the Australian bloodstream about the privacy of their information. We know that Optus is trying to do what it can, but having said that, it’s not enough,” Mr Shorten said on Sunday.
“This shouldn’t be a game of Whac-A-Mole where we work out what the problem is and then we go to the corporation and say, help us stop the problem.”
Ms Bayer Rosmarin told the Nine newspapers on Monday Optus provided the Office of the Australian Information Commissioner with the data.
She also confirmed the data would be given to Services Australia by the October 4.