Slater and Gordon said Monday it had launched a class action investigation into the massive data breach revealed by Optus on Thursday.

The cyberattack targeted the personal data of current and former customers dating back five years, including names, dates of birth, phone numbers and email addresses, and in some cases customer ID document numbers.

Billing and payment details and account passwords were not compromised, according to Optus, which said it was safe to use its services like mobile and home internet.

Slater and Gordon senior associate Ben Zocco said Monday the disclosure of identifying information raised “very real risks” for some customers.

“This is potentially the most serious privacy breach in Australian history, both in terms of the number of affected people and the nature of the information disclosed,” Zocco said.

“We consider that the consequences could be particularly serious for vulnerable members of society, such as domestic violence survivors, victims of stalking and other threatening behaviour, and people who are seeking or have previously sought asylum in Australia.

“Given the type of information that has been reportedly disclosed, these people can’t simply heed Optus’ advice to be on the look-out for scam emails and text messages.”

Zocco said it was “extremely concerning” that for some customers, their drivers’ licence and passport numbers had been disclosed.

“This information alone would go a long way in allowing a criminal to steal an affected customer’s identity,” Zocco said.

While privacy class actions are uncommon in Australia, Slater and Gordon is no stranger to them, having won a landmark judgment from Australian Information Commissioner and Privacy Commissioner Angelene Falk last year ordering the federal government to pay compensation to 1,300 asylum seekers for publicly disclosing their personal information in 2014.

The Australian Federal Police said Friday it had received a referral from Optus to probe the cyberattack and would work with the company and other agencies, including the Australian Signals Directorate — the intelligence agency responsible for national cyber security — to investigate the breach.

Optus said Thursday it had also notified the Australian Cyber Security Centre, the Office of the Australian Information Commissioner and other relevant agencies.

Optus CEO Kelly Bayer Rosmarin told reporters the company had “very strong cyber defences” and the attack, which appeared to originate from Europe, was sophisticated.

“This should serve as a warning to all organisations that there are sophisticated criminals out there,” Rosmarin said. There had been no ransomware demand made, she said, and it was too early to tell whether the hackers were criminals or foreign state-linked.

She said the company took action to block the attack and began an investigation as soon as it became aware of the breach on Wednesday.

The “absolute worst case scenario” was that 9.8 million customers were impacted, but Rosmarin said the company had reason to believe the number was lower than that.

Optus has engaged with all relevant authorities and organisations to help safeguard customer data and had also notified key financial institutions about the attack.

“While we are not aware of customers having suffered any harm, we encourage customers to have heightened awareness across their accounts, including looking out for unusual or fraudulent activity and any notifications which seem odd or suspicious,” Rosmarin said.

The Australian Competition and Consumer Commission warned consumers to be on the lookout for scams following the breach.

“For some customers identity document numbers such as driver’s licence or passport numbers could be in the hands of criminals. It is important to be aware that you be may be at risk of identity theft and take urgent action to prevent harm,” ACCC Scamwatch said.

The ACCC said Optus customers should immediately take steps to secure all of their accounts, including bank accounts.

“You should also monitor for unusual activity on your accounts and watch out for contact by scammers,” it said.

Copyright Lawyerly Media. Unauthorized reproduction, distribution or sharing of this article is prohibited.

A reprint licence is required to reproduce, distribute or share this article. Contact Us for a reprint licence.