The telecommunications giant confirmed on Tuesday 2.1 million customers had at least one form of identification and personal information accessed by hackers.

Mr Shorten raised eyebrows on Sunday when he said they needed those details “not tomorrow or the next day, we really needed it days ago”. 

Optus had been given a deadline of October 4 to handover the information, but Mr Shorten was defiant when asked if this meant his earlier comments were premature.

“Ask anyone who‘s a customer of Optus or an ex-customer of Optus if they’re satisfied with the level of communication they’ve had with Optus,” he said on Tuesday.

“It’s now day 13 and I’m pleased that our Service Australia people were able to get data finally today, but I think senior management are kidding themselves if they want a medal for the way they’ve been communicating.

“Even a crocodile wouldn’t swallow that.”

Mr Shorten compared the process of getting the information from Optus to playing a game of “hide and seek”.

“My beef was that we shouldn't have to, as the government in my area, play hide and seek and wait until day 13 to get material,” he said.

“I’m pleased though now that material has been provided. We’re yet to see if it’s in a form in which we can consume it.”

Mr Shorten would not comment on the performance of Optus chief executive Kelly Bayer Rosmarin, saying that “will be up for others to judge.”

It comes after the commissioner responsible for investigating the Optus hack has revealed the telco’s collection of personal data may have gone beyond its legal requirements.

Information Commissioner and Privacy Commissioner Angelene Falk said she believes Optus might have gone “beyond the scope” of the data they needed to hold.

“In some cases I think it does go beyond the scope,” Ms Falk said on Sunrise on Tuesday.

“If we are buying clothes online, our retailer needs to know who they're dealing with enough to send us the clothes that we bought and also our address – they don’t need to know our date of birth.

“We need to get back to basics. What is the information needed for this product or service? And make sure only that information is being collected.”

Ms Falk said the commission was continuing to investigate the information that Optus collected and the length of time it was held for.

The company released a video statement from Ms Rosmarin on Monday evening confirming just how many people’s data had been compromised in the hack.

“Optus has communicated with these customers and recommended that they take action to change their identification documents,” the company said in a statement.

Optus said of the 9.8 million customers whose data was hacked, it believed 7.7 million did not need to replace documents.

The 2.1 million personal ID details include 150,000 passport and 50,000 Medicare numbers.

These 7.7 million Australians are still warned to be on alert for scammers, as data such as email addresses, date of births and phone numbers were taken.

It was also announced that an external review would be conducted into how the data was breached.

Consulting agency Deloitte will conduct the probe into the embattled telco’s cybersecurity systems, controls, processes and the circumstances surrounding the cyber attack.

“This review will help ensure we understand how it occurred and how we can prevent it from occurring again,” Ms Bayer Rosmarin said.

In a statement, Optus said the review was recommended by Ms Bayer Rosmarin and was supported unanimously by the Singtel Board, the telco’s parent company.

Originally published as ‘Even a crocodile wouldn’t: Shorten