Customers’ names, dates of birth, phone numbers, email addresses, driver’s licence numbers, passport numbers or addresses could have been accessed in the attack, Optus has confirmed.

Payment details and account passwords have not been compromised.

Optus said on Thursday night it was working with the Australian Cyber Security Centre to limit the risk to both current and former customers.

Australian Federal Police, the Office of the Australian Information Regulator and other key regulators have also been notified.

While the government has initiated a review into data security on social media platforms like TikTok, it won’t be completed until next year, opposition communications spokeswoman Sarah Henderson said.

“This is all too little, too late,” she said.

“Rather than kick the can down the road, Labor must urgently consider all regulatory options and act immediately to improve the privacy and safety of Australians online.”

Optus chief executive Kelly Bayer Rosmarin said in a statement that as soon as the telco learned of the attack it took action to block it and began an investigation.

“While not everyone may be affected and our investigation is not yet complete, we want all of our customers to be aware of what has happened as soon as possible so that they can increase their vigilance,” she said.

“We are very sorry and understand customers will be concerned. Please be assured that we are working hard … to help safeguard our customers as much as possible.”

Scamwatch has advised Optus customers to secure their personal information by changing online account passwords and enabling multi-factor authentication for banking.

Affected customers should also place limits on bank accounts, monitor for any unusual activity and request a ban on credit reports if any fraud is suspected.

Senator Henderson said the opposition had for months been calling on the Albanese government to deliver tougher online privacy and data protection laws.

In July, it called on Labor to adopt the coalition’s Online Privacy Bill and earlier this month, she and other opposition MPs had criticised the government for failing to strengthen laws.

The Office of the Australian Information Commissioner said it would engage with Optus to ensure compliance with the requirements of the Notifiable Data Breaches scheme.

Under the framework, organisations covered by the Privacy Act must notify affected individuals as quickly as possible if they experience a data breach likely to result in serious harm.

-AAP