More than a week after revealing some 9.8 million people had their personal information potentially stolen in a massive data breach, the telco continues to face criticism from government and the public over its poor communication and ongoing confusion.

On Sunday, many customers received a text message from Optus reading, “Cyberattack update: Confirming only the licence number on your driver licence was exposed, not the card number. Your state or territory government will provide advice on any action that you may need to take via their website.”

Some customers in Victoria who received the message, however, quickly pointed out that Victorian driver licences do not have a separate card number, so loss of the licence number was just as serious.

Other customers received a more concerning message.

“During further analysis as part of our ongoing investigation, we’ve discovered some customers have had both the licence number and card number on their driver licence exposed,” it read.

“Please note, only the numbers have been exposed and not a copy of your Photo ID. We’re deeply sorry to inform you that you’ve been identified as part of this group.”

Optus advised those customers to apply for a replacement licence to “help reduce the risk of identity theft or financial loss”.

In a statement on its dedicated cyberattack portal on Sunday, Optus said it had sent an email or SMS to “customers that we have a driver licence on record in NSW, ACT, SA, NT, WA and Tas, confirming their driver licence number and card number were exposed in the cyberattack”.

“We have also contacted customers to advise if their Medicare card number has been exposed,” Optus said.

“We continue to work with the state governments for individuals that hold driver licences in Victoria and Queensland and will provide advice as soon as possible. If we did not have valid contact details for any impacted customers, these customers will be contacted via post using the last mailing address we have on file, as soon as possible. We continue to reach out to customers who have had other details exposed.”

Optus stressed that “there were no direct debit or credit card details compromised in the cyberattack”.

“Additionally, all customer My Account login details including username and password remain secure,” it said.

“Customers are encouraged to remain vigilant and check written communications carefully. We will not send links or request information, like passwords, in the communications we send our customers about the cyberattack. Scammers will often send from legitimate-looking email addresses, so if in doubt, customers should double check by clicking on the name and checking the sender address.”

It came as the federal government launched an extraordinary spray accusing the telco of not co-operating with in the aftermath of the breach, as it is yet to hand over the full details of affected customers.

Government Services Minister Bill Shorten made the new plea on Sunday morning, saying Services Australia wrote to Optus on September 27 asking for the full details of all affected customers with credentials such as Medicare and Centrelink numbers exposed.

Services Australia said there have been no impacted customer details provided by Optus in relation to this request.

More than 37,000 Medicare numbers were exposed in the data breach.

The Australian Federal Police has launched two investigations into the breach and are being assisted by the FBI.

Mr Shorten said the privacy of Australians caught up in the saga must remain paramount.

“Services Australia has been working around the clock to help protect customers, but we need Optus to help us help Australians,” he said.

“This was a breach that should never have happened. We all carry a Medicare card around in our wallet, so it is no surprise that Australians are deeply concerned about what has happened here.”

Days earlier, Optus said it would pay to replace passports of Australians caught up in the cyber attack.

Later on Sunday, Home Affairs Minister Clare O’Neil warned Australia must change its cyber security rules to avoid a leak on the scale of Optus’ latest nightmare in the future.

“We need to consider the obligations that companies face when a cybersecurity breach of this nature occurs,” she said.

“We simply do not want to go through this again, we’ve got 10 million people whose private data has been stored by a private company for periods that are far too long and after the fact, we don’t have the proper powers we need to acquire information in specific ways. It’s not good enough. We live in a digital age, cyber security issues are part of our lives now and this incident is a huge wake up call to corporate Australia … and it’s a wake up call to everyday Australians too.”

Ms O’Neil said Australians impacted must be aware of parties who may now try and take advantage of their leaked data.

“This is a time for real vigilance for Australians, we should not be in the situation we’re in but Optus has put us here and it’s now time for Australians to take steps to protect themselves against financial crime,” she said.

On Saturday, Optus published a grovelling full-page newspaper ad apologising for the “devastating” cyberattack.

“Our priority is preventing harm to customers,” it read. “We are here to assist and support you through any personal concern that you may be feeling.”

frank.chung@news.com.au

— with NCA NewsWire

More Coverage

Puzzling detail in Optus data hack

Courtney Gould

Three words will come to haunt Optus

Ellen Ransley

Originally published as Big problem with Optus text after leak