“We are devastated to discover that we have been subject to a cyberattack that has resulted in the disclosure of our customers’ personal information to someone who shouldn’t see it,” she said.

”While not everyone may be affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance. We are very sorry and understand customers will be concerned.“

She said Optus was contacting customers at “high risk” and encouraged all to look out for unusual or fraudulent activity. Optus has also informed the Australian Federal Police, Office of the Australian Information Commissioner, financial institutions, government regulators and Australian Cyber Security Centre of the breach.

A spokesman for the commissioner’s office noted that, under law, organisations hit with a data breach must tell people “as quickly as possible” if it is likely to result in serious harm to them. The ACSC declined to comment.

Robert Potter, co-founder of cybersecurity company Internet 2.0, said Optus had done the right thing in disclosing the breach early because it let people respond quickly but added there was still substantial risk if the information gets out.

“The risk of it being on the dark web is around this being used for identity theft,” Potter said.

Alastair MacGibbon, a former head of the cyber security centre now with cybersecurity firm CyberCX, said Optus customers should be watchful for “where the criminals are essentially mimicking them, or stealing their identity, trying to obtain credit in their name, etcetera.”

Loading

“[Optus] might have already been contacted by criminals,” MacGibbon said on the ABC, though there is no indication that is the case. “We don’t know necessarily what the motives are.”

Liberal Senator James Paterson, a former chairman of the parliamentary committee overseeing Australia’s intelligence and security agencies, said it was vital to work out who was behind the attack.

“These very concerning reports represent one of the most serious cyberattacks ever suffered by an Australian business,” Paterson said.

Common motives in cyberattacks include industrial espionage, extortion threats or simply showing off. Hacking groups linked to national governments also sometimes use cyber crime for political ends.

Loading

Cyberattacks are growing in severity globally and locally. Recently transport firm Uber and the gaming giant Take-Two Games, which makes the multibillion-dollar Grand Theft Auto franchise, have been breached.

A spokesman for Cybersecurity Minister Clare O’Neil declined to answer specific questions, saying they should be directed to Optus, but noted there were more and more online attacks hitting Australian businesses.

Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.