Optus customers have had their personal information accessed after the telco fell victim to what has been described as one of the biggest hacks in Australian history.

Names, dates of birth, phone numbers, email addresses and in some cases, postal addresses, and driver’s licence and passport numbers have been compromised. Sources cited by the Sydney Morning Herald (paywall) said that as many as 9 million current and former customers have been affected. According to Optus parent Singtel’s most recent financials, Optus had 10.2 million mobile and 1.3 million home broadband customers at the end of June, so it’s a sizeable hack. Telecoms.com has sought confirmation of the exact figure from Optus, and will update this story if needed.

“As soon as we knew, we took action to block the attack and began an immediate investigation. While not everyone maybe affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance,” said Optus CEO Kelly Bayer Rosmarin, in a statement on Thursday. “We are very sorry and understand customers will be concerned. Please be assured that we are working hard, and engaging with all the relevant authorities and organisations, to help safeguard our customers as much as possible.”

Optus said payment details and account passwords have not been accessed. Nonetheless, the treasure trove of information stolen by the hackers will leave affected customers vulnerable to a multitude of attacks. For instance, with enough personal information at their disposal, a criminal could use social engineering techniques to execute a SIM-swap attack, gaining illicit possession of a victim’s mobile phone number. With phone numbers frequently used for two-factor authentication and resetting passwords, it could open the door to the victim’s social media, online shopping and potentially even bank accounts.

“Optus has also notified key financial institutions about this matter. While we are not aware of customers having suffered any harm, we encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious,” Optus said.

Australia’s privacy rules require regulated organisations – which includes Optus – to notify the Office of the Australian Information Commissioner (OAIC) of any data breach that is likely to cause serious harm. Failure to comply can incur a fine of up to A$2.1 million ($1.4 million). According to the OAIC Website, there were 464 notifiable data breaches (NBDs) in 2021, up 6 percent on the previous year. The majority of NBDs resulted from malicious or criminal activity, and 71 percent of breaches affected 100 people or fewer.

Optus said it has notified not only the OAIC, but the Federal Police, and the Australian Cyber Security Centre.

In terms of where the Optus hack sits in Australia’s data breach hall of infamy, it certainly appears to be among the largest. A ranking published by cybersecurity firm UpGuard in August put online design tool maker Canva at the top, with a hack in 2019 that exposed the details of a whopping 137 million users. In second place sits IoT vendor Ubiquiti Networks, which was breached in December 2020, allegedly compromising the details of up to 85 million customers. When it published its ranking, UpGuard said the third-largest hack took place in July 2020 and affected 444,000 users of educational exam platform ProctorU.

If the SMH’s sources are on the money, then the 9 million unfortunate victims of the Optus hack would confer upon the telco an unwelcome and dubious honour.

Get the latest news straight to your inbox. Register for the Telecoms.com newsletter here.