Optus is staring down a possible class action after the personal data of millions of its customers was exposed in a massive hack last week.

Law firm Slater and Gordon said on Monday it was investigating a possible class action, amid growing concerns that Optus customers could fall victim to attempts at identity theft or other personalised scams.

“This is potentially the most serious privacy breach in Australian history,” the firm’s class action director Ben Zocco said on Monday afternoon.

The telco revealed last Thursday that personal data of up to 9.8 million former and current Optus customers were stolen by criminal hackers.

The telco has refused to divulge how the hack happened, but evidence is now emerging that Optus’ cyber security practices weren’t adequate.

The company is scrambling to contact affected customers who learned about the hack through media reports last week. On Monday it unveiled plans to pay for credit monitoring for the “most affected” users.

It came after Home Affairs Minister Clare O’Neil delivered a scathing speech to Parliament calling for the move and flagging tougher laws.

She said that in other nations such a large hack could lead to hundreds of millions of dollars worth of fines.

“The breach is of a nature that we should not expect to see in a large telecommunications provider in this country,” Ms O’Neill told Parliament.

“We expect Optus to continue to do everything they can to support their customers and former customers.”

Tweet from @abc730

Optus in damage control as purported hacker surfaces

Optus is now in its second week of damage control after revealing what has been called one of the largest corporate hacks in Australian history last Thursday, with personal data including names, addresses, emails, phone numbers, license numbers and passport numbers all exposed.

The hack has sparked a criminal investigation from the Australian Federal Police, which is working with the Australian Signals Directorate to determine the culprits and how the attack occurred.

Other regulators, including the Australian Competition and Consumer Commission, have urged current and former Optus customers to be vigilant against moves to use data in identity theft or financial scams.

It all comes as evidence emerges that the hack may be even worse than Optus’ chief executive Kelly Bayer Rosmarin suggested last Friday.

Journalist and IT expert Jeremy Kirk has reported contacting the hacker behind the attack and verifying Optus user’s stolen information.

The hacker said they actually had records on 11.2 million Optus users, far more than the 9.8 million Optus has said is a “worst case scenario”.

Tweet from @Jeremy_Kirk

The purported hacker claimed they took advantage of “bad access control” to steal reams of personal information from Optus’ data servers.

Kirk also reported that the hacker is demanding a $1 million payment to delete data, despite Optus saying it hadn’t received ransom demands.

On Tuesday, the alleged hacker told Kirk they had released 10,000 of the stolen records – and would release 10,000 more every day for four days unless the telco paid up.

“Bad news,” Kirk tweeted.

“The Optus hacker has released 10,000 customer records and says a 10K batch will be released every day over the next four days if Optus doesn’t give into the extortion demand.”

Authorities are understood to be trying to verifying the legitimacy of the claims, while Optus said federal police had told them not to comment.

Crackdown flagged

The federal government is preparing to introduce new protections that would ensure banks and other institutions would learn about hacks faster, helping them safeguard their personal data from identity theft.

Prime Minister Anthony Albanese said on Monday that the Optus hack was a “huge wake-up call” for Australia and that action was needed.

Ms O’Neil later said the government was looking to work with financial regulators and banks to find steps that could help protect Optus users.

Tweet from @ClareONeilMP

She also flagged a wider crackdown on telco providers such as Optus.

“One significant question is whether the cyber security requirements we place on large telecommunications providers in this country are fit for purpose,” she said.

“In other jurisdictions, a data breach of this size will result in fines amounting to hundreds of millions of dollars.”