Australia’s second-largest telecommunications company, Optus, has reported a cyber-attack.
The breach exposed customers’ names, dates of birth, phone numbers and email addresses.
The company – which has more than ten million subscribers – says it has shut down the attack but not before other details such as driver’s licences and passport numbers were hacked.
Optus says payment data and account passwords were not compromised.
The company said it would notify those at “heightened risk” but all customers should check their accounts.
Chief executive Kelly Bayer Rosmarin apologised to its customers, on ABC TV.
She said names, dates of birth and contact details had been accessed, “in some cases” the driving licence number, and in “a rare number of cases the passport and the mailing address” had also been exposed.
The company had notified the Australian Federal Police after noticing “unusual activity”.
And investigators were trying “to understand who has been accessing the data and for what purpose”.
Optus says the type of information that may have been hacked includes customers’
- names
- dates of birth
- phone numbers
- email addresses
- addresses
- ID document numbers such as driver’s licence or passport numbers
“Optus is working with the Australian Cyber Security Centre to mitigate any risks to customers,” a statement on its website said.
“Optus has also notified key financial institutions about this matter.
“While we are not aware of customers having suffered any harm, we encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious.”
Ms Rosmarin said the company had put all customers on high alert as a precaution – but many have been left frustrated and concerned.
Kaspersky cyber-security researcher David Emm told BBC News: “It’s good to see that Optus has said that it will contact those it believes are affected and that they will not be sending messages in emails or via SMS [text] messages – this makes it clear to customers that any such messages they receive will be fake.
“It’s also reassuring that no passwords or payment information has been stolen.
“Nevertheless, customers should be on the alert for any fraudulent activity they see and should protect their online accounts with unique, complex passwords and using two-factor authentication.”