After news of the cyber attack broke last week, CEO Kelly Bayer Rosmarin revealed that both past and present Optus customers had been impacted, with 9.8 million expected to be the upper level of the number of people affected.

Names, emails, phone numbers, date of births, addresses driver’s licence numbers, passport numbers and Medicare details are now at risk as a result.

Speaking at a press conference on Friday, Ms Bayer Rosmarin revealed Optus was legally required to hold on to customer data for six years.

Want to stream your news? Flash lets you stream 25+ news channels in 1 place. New to Flash? Try 1 month free. Offer ends 31 October, 2022 >

“We do hold a reference to the identification information, whether it is the driver’s licence number or passport number, that’s the field that has been compromised.

“We want to assure people they have not got images of any of those documents, nor any bank details or passwords. The reason we hold onto customer data for a period of time is, that it is the law.

“We have to be able to go back in our records for six years, so we do hold information for the required length of time.”

The CEO claimed the customer data swept up in the attack dates back to 2017.

However, former Optus customer’s have called this claim into question after being told by the telco they had been impacted by the breach despite not being with the company for a decade.

One former customer, who hasn’t been with Optus since before 2011, was shocked after receiving an email from the telco advising that her personal details had been breached.

The woman, who asked not to be named, told news.com.au that she initially thought the email must have been a scam.

“I initially disregarded the email, thinking it might be another scam, simply because I have not actually been their customer for quite so long,” she said.

The woman said she left Optus more than a decade ago due to “poor service”.

In the email, the ex-customer was informed that her name, date of birth, email, and the ID number of either her driver’s licence or passport had been exposed.

When the woman attempted to call Optus to get more information she was placed on hold and eventually decided to hang up after the hold music cut out and she had no way of knowing if she was still in the queue.

It appears this former customer isn’t the only person dealing with this issue, with multiple people taking to social media to reveal they had also been contacted by Optus, despite changing providers long ago.

Optus is required under the law to keep records for certain periods of time.

This is in terms of both specific requirements under the Telecommunications (Interception and Access) Act 1979 and the more general requirements that apply to data retention.

‘We are not the villains’, says CEO

Ms Bayer Rosmarin has stressed to customers that Optus is not the “villain” in the situation, while also claiming that most of the data obtained in the breach was “already out there’.

“I think most customers understand that we are not the villains, and that we have not done anything deliberate to put any of our customers at risk,’’ she said.

“In fact, quite the contrary. We’re doing everything we can to prevent that from happening.

“What I can say, that hopefully should help people understand, is that it’s not as being portrayed. Our data was encrypted and we have multiple layers of protection. So it is not the case of having some sort of completely exposed APIs sitting out there.”

In an interview this week, the Optus boss said there was misinformation being spread about the incident.

“We are putting people on high alert and asking them not to fall for the scams,’’ she said.

“And unfortunately, a lot of the data, the majority of the data that’s been accessed is data that is most likely out there already. So it’s very important as a good reminder to people to be super vigilant and not to fall for scams or click links that are sent to them in emails or SMS.”

What to do if you are affected

Optus chief executive Kelly Bayer-Rosmarin apologised for the cyber intrusion in a conference call with reporters on Friday, saying “it should not have happened”.

“I’m disappointed that we couldn’t prevent it,” she said.

Ms Bayer-Rosmarin urged customers to be on the watch for suspicious contacts in the near future, fearing bad actors who access the stolen data could use it to place scam calls.

“What customers can do is just be vigilant,” she said.

“It really is about increased vigilance, and being alert to any activity that seems suspicious or odd, or out of the ordinary.

“If somebody calls you and says they want to connect to your computer, and says to give them your password or let them in, don‘t allow that to occur.”

She said passwords and financial details had not been compromised, however other sensitive information had been pilfered.

“We do hold a reference to the identification information, whether it’s the driver’s licence number or passport number. That’s the field that’s been compromised,” she said.

“I again want to reassure people that they have not got images of any of those documents, nor any bank details or passwords.”

For those who are concerned their data may have been stolen, there are a number of steps you can take to protect yourself.

The Australian Cyber Security Centre has provided advice for those current and former customers who have been impacted.

More Coverage

Law leaving millions of Aussies exposed

Alex Turner-Cohen

‘Amateur’: Optus ‘hacker’ roasted by peers

Ally Foster

Australians have been advised to update their devices to protect important information as well as protecting important accounts by using multi-factor authentication.

Customers should also contact their financial institutions immediately and follow their guidance about protecting their accounts.

Those impacted are also advised to contact reputable sources for information such as Moneysmart, ID Care and the Office of the Australian Information Commissioner.