Criminals or "state-based actors" could be behind a massive cyber attack that potentially exposed millions of Optus customers to fraud.
The telco does not know who was responsible or their motivations but any user who has been with the company since 2017 could be impacted.
Customers' names, dates of birth, phone numbers, email addresses, driver's licence numbers, passport numbers and addresses were all potentially accessed in the breach.
Optus chief Kelly Bayer Rosmarin on Friday apologised and said she felt terrible the attack happened on her watch.
"Obviously, I am angry there are people out there that want to do this to our customers. I'm disappointed we couldn't have prevented it," she said.
The company was still assessing the scale of the hack but staff believe the worst-case scenario was 9.8 million customers had been affected.
Ms Bayer Rosmarin said the telco notified the public less than 24 hours after discovering the breach and was working closely with government authorities and Australian Federal Police.
"This particular (cyber attack) is not similar to anything we've seen before and unfortunately it was successful," she said.
"It is too early to rule out any possibilities. So we're keeping it all open - it could be criminal and it could be state-based actors."
The company has not identified where the hackers were located as their IP addresses kept moving between different countries in Europe.
There have been no ransomware demands, meaning they have not asked the company to pay them to return the data.
Opposition Leader Peter Dutton called on cyber security minister Clare O'Neil to update Australians on the scale of the breach, along with what ongoing threats were posed.
"This may well be the biggest data breach in Australia's history at nine or 10 million people ... we don't know much more detail than that because the minister Clare O'Neil is missing in action," he told reporters.
"Is there a further likelihood of an attack by this group? Do we know whether it's an organised crime group or do we believe that it's a state actor that's involved? Do we believe that there is a further compromise potentially?
"These are questions Claire O'Neil should be answering."
Liberal MP Karen Andrews is set to introduce a private member's bill on Monday designed to strengthen jail penalties for cyber extortion.
Australian Consumer and Competition Commission deputy chair Delia Rickard said the attack was extremely worrying due to the large amount of personal information fraudsters might be able to access.
"These are all the things that you need for identity theft and also all the things you need to personalise a scam and make it much more convincing," she told Nine's Today program earlier on Friday.
Optus said users' payment details and account passwords had not been compromised and it was working with the Australian Cyber Security Centre to limit the risk to both current and former customers.
Ms Rickard said any Optus customers who suspected they were victims of fraud should request a ban on their credit records and be highly sceptical of unexpected calls from people purporting to represent banks or government agencies.
Scamwatch advised Optus customers to secure their personal information by changing online account passwords and enabling multi-factor authentication for banking.
Affected customers should also place limits on bank accounts and monitor for unusual activity.
© AAP 2022