Thousands of Optus customers who had personal details stolen in a cyberattack and leaked on the dark web may never find out how the breach happened after the telecommunications group pleaded “legal professional privilege” to try to stop a report into the hack being released.

Optus appointed consultants Deloitte to review its security systems and do a forensic investigation into the September 2022 cyberattack, which led to the personal information of some 10,200 customers – including passport, driver’s licence and Medicare numbers – being posted online.