Optus chief executive Kelly Bayer-Rosmarin apologised for the cyber intrusion during a conference call with reporters on Friday.

She said customers who were with the telco as far back as 2017 had been impacted, although the company would not disclose details of how the hack happened.

“The exact mechanics are subject to a criminal investigation and we won’t be divulging that,” she said.

“Without saying too much, the IP address (of the hackers) kept moving. It’s a sophisticated attack.

“Safe to say it comes out of various countries in Europe, and in terms of the customer data, I think it dates back to 2017.”

Meanwhile, it has been suggested human error may have been behind the hack.

Days after sensitive customer information was leaked, including passport and driver’s licence numbers, an anonymous source within the company has pointed the finger at IT programmers.

The “senior insider” told the ABC an error made by a programmer may have opened the door for hackers.

“(It’s) still under investigation. However, this breach, like most, appears to come down to human error,” the source said.

They claimed programmers were attempting to open up Optus’ customer identity database to other systems via an application programming interface.

While it was believed the process would only grant access to authorised company systems, outsiders may have been granted access via a test network.

“Eventually one of the networks it was exposed to was a test network, which happened to have internet access,” the source said.

Australian Federal Police have launched a probe after receiving a referral from Optus about the alleged “mass data breach”.

“The AFP will work with Optus to obtain the crucial information and evidence needed to conduct this complex, criminal investigation,” a statement on Friday read.

“The AFP’s specialist cyber command will work closely with a number of agencies, including the Australian Signals Directorate.”

Ms Bayer-Rosmarin apologised said the hack “should not have happened”.

“I’m disappointed that we couldn’t prevent it,” she said.

“It undermines all the great work we’ve been doing to be a pioneer in this industry, be a challenger, and create new and wonderful experiences for our customers. I’m really sorry.”

The cyber breach could have wide-reaching consequences for both private and small business customers, Ms Bayer-Rosmarin acknowledged.

In an “absolute worst-case scenario”, 9.8 million customers were affected, although Ms Bayer-Rosmarin cautioned that authorities were still investigating the breach and the full impact was not yet known.

Unconfirmed screengrabs from a dark web hacker forum show cyber criminals claiming to have access to one million Optus phone numbers.

Ms Bayer-Rosmarin urged customers to be on the watch for suspicious contacts in the near future, fearing bad actors who access the stolen data could use it to place scam calls.

“What customers can do is just be vigilant,” she said.

“It really is about increased vigilance, and being alert to any activity that seems suspicious or odd or out of the ordinary.

“If somebody calls you and says they want to connect to your computer and says to give them your password or let them in, don’t allow that to occur.”

Customers who have been affected will be contacted by Optus in the coming days.

Originally published as Major Optus customer data breach blamed on ‘human error’