A cyberattack has exposed the personal data of as many as 10 million Optus customers in the biggest ever data breach of an Australian telco.

In a statement Thursday afternoon, Optus acknowledged the cyberattack, which was first reported by The Australian, but said no payment details or passwords had been compromised.

However, it admitted that customer names, street addresses, phone numbers, email addresses and passport details may have been accessed by the attackers.

The company, which has 9.7 million subscribers to its fixed and mobile services, came under fire on social media from customers who complained that they had heard about the breach through the media but had not received any advice from Optus.

Optus said it had shut down the attack as soon as it had discovered it. The no.2 Australian operator said it was working with the Australian Cybersecurity Centre and had advised federal police and regulators of the data breach.

"We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customers' personal information to someone who shouldn't see it," said Optus CEO Kelly Bayer Rosmarin.

One of Australia's most serious cyberattacks

"While we are not aware of customers having suffered any harm, we encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious."

Senator James Paterson, a former chair of the senate intelligence and security committee, told the Sydney Morning Herald that it was "one of the most serious cyberattacks" ever made on an Australian business.

It is certainly the largest privacy breach of any telecom operator, dwarfing the most recent incidents.

Want to know more? Sign up to get our dedicated newsletters direct to your inbox.

Last year, some "tens of thousands" of Telstra SIM cards and corporate data were reportedly accessed in an attack on a Telstra partner, Schepisi Communications.

In May 2021, TPG Telecom reported that its TrustedCloud hosting service had been hacked, with 5 gigabytes of data from one of its customers later found freely available on the dark web.

The Office of the Australian Information Commissioner said it had been advised of the Optus breach and would work with the operator to inform customers of the incident and how to respond.

Related posts:

— Robert Clark, contributing editor, special to Light Reading