Optus has suffered one of the biggest data breaches in Australian history, with up to 9.8 million users affected. 

Optus boss Kelly Bayer Rosmarin said she felt “terrible” about the attack on the network. 

“I’m very sorry and apologetic. It should not have happened,” she said. 

“I’m angry that there are people out there that want to do this to our customers.

“I’m disappointed that we could not have prevented it. I’m disappointed that it undermines all the great work we’ve been doing to be a pioneer and a real challenger in this industry.”

The compromised data stretches back to 2017 and may include addresses, phone numbers, driver’s licences and passport numbers.

Ms Bayer Rosmarin said the source of the “sophisticated” attack is unknown as the IP address of the attacker “kept moving ... out of various countries.” 

She said 9.8 million customers could have been affected in a “worst-case scenario”.

“We have reason to believe the number is actually smaller than that. But we are working through reconstructing exactly what the attackers have received. Importantly, it is a small subset of data – it does not include any financial details. It does not include passwords,” Ms Bayer Rosmarin said.

“We will be identifying specifically which customers and which fields of data and proactively contacting each individual customer with very clear explanation of which data has been exposed and potentially taken,” she said.

Reports say screenshots have been circulated of hackers looking to sell Optus customer names, numbers and email addresses online. 

“One of the challenges when you go public with this information is you can have lots of people claiming lots of things. There is nothing that has been validated and for sale that we are aware of, but the teams are looking into every possibility,” Ms Bayer Rosmarin said.

Optus says it is working with the Australian Federal Police, Australian Signals Directorate and Office of the Australian Information Commissioner to find the culprit.

ACCC Scamwatch is warning customers to be especially vigilant of scams following the data breach.