The group behind the massive Optus breach has scrapped its ransom demand and claims to have deleted the 11 million customers' records it scraped from the telco's website.
The attempt to force Optus to pay $US1 million ($A1.54 million) by Friday was dropped hours after the group released a batch of 10,000 Australian customers' sensitive details on a data breach forum on the clear web.
The illegally obtained information includes passport, Medicare and driver's licence numbers, dates of birth, home addresses and information about whether a person is renting or living with parents.
"Too many eyes. We will not sale (sic) data to anyone. We cant if we even want to: personally deleted data from drive (Only copy)," the group said on Tuesday.
They said they would have alerted Optus to its vulnerability if the telco had a secure method to contact or a bug bounty.
The batch released on Tuesday was still online as of 4.30pm AEST.
Australians caught out in the massive Optus data breach may be able to change their driver's licence numbers following the cyber attack.
At a Labor caucus meeting on Tuesday, Attorney-General Mark Dreyfus was asked about the trove of information stolen, and said the option was being considered with the nation's privacy commissioner.
He said the commissioner wasn't notified by Optus of the breach involving millions of customers until late Friday, the day after it was first reported.
An ongoing privacy review will be completed this year.
Mr Dreyfus told parliament the breach "should never have happened" and the FBI were assisting Australian authorities in their investigation.
In a statement, Home Affairs Minister Clare O'Neil said she was "incredibly concerned" about reports that Medicare numbers were now being offered for free and for ransom.
"Medicare numbers were never advised to form part of compromised information from the breach," she said.
"Consumers have a right to know exactly what individual personal information has been compromised in Optus' communications to them."
Opposition defence spokesman Andrew Hastie described the government's response to the hack as "lacklustre and slow".
"The government isn't responsible for Optus and their data breach, but they're sure as hell responsible for coordinating a response," he said.
Two people whose details were exposed in Tuesday's release of Optus data and who asked to remain anonymous, expressed frustration that it contained personal data that, unlike bank details, couldn't easily be changed.
"No one can put a price on privacy but Optus has certainly lost mine," a Melbourne man told AAP.
"We'll find out how easy a mistake it was to make and to not make but c'mon, guys. Really?" said a Canberra man who signed to Optus in 2021.
A check of 12 random email addresses against records held by Have I Been Pwned found nine had not previously been exposed in breaches.
Optus said it was the victim of a sophisticated attack - a claim dismissed by Ms O'Neil.
A federal police investigation has been launched into the data breach.
Opposition cyber security spokesman James Paterson told Sky News the government bore some responsibility and criticised its response to the hack as "slow".
Optus said it will offer "the most affected" customers the chance to take up a one-year subscription to credit monitoring service Equifax Protect at no cost.
© AAP 2022