In a statement released on Monday afternoon, the telco confirmed the stolen data did not contain valid or current document ID numbers for about 7.7 million individuals or businesses.

About 1.2 million of the ID numbers stolen, which include driver’s licences, are current.

An additional 900,000 customers have had numbers from expired documents comprised.

“Optus has sent an email or SMS to the customers that have had current ID documents compromised in the cyber attack, advising that details from their ID documents have been compromised and what they should do,” the statement reads.

Customers who had their sensitive details stolen in the cyber attack are being contacted by the telco to advise what ID documents have been exposed.

It comes as the telecommunications giant launched an independent, external review of the circumstances surrounding the data hack.

Affected customers started receiving emails from Optus on Sunday, while others were contacted by text message.

One customer posted a screenshot of the email to Twitter, which confirmed his driver’s licence number had been taken.

Another customer posted the text she received, which said her ID documents hadn’t been compromised.

Embattled chief executive Kelly Bayer Rosmarin, who has been criticised for the way Optus has handled the attack, recommended the review to the board which unanimously agreed to it.

Bayer Rosmarin said the telco was committed to rebuilding trust with its customers and the review would assist that process.

“We’re deeply sorry that this has happened and we recognise the significant concern it has caused many people,” she said in a statement.

She said the review would help Optus understand how the attack happened and ensure it would not happen again.

International professional services firm Deloitte will conduct the review of Optus security systems, controls and processes.

Earlier, cabinet minister Tanya Plibersek said while people had been receiving their bills on time, Optus had not told customers whether their personal details had been stolen.

“One of the real problems is the lack of communication by Optus, both with its customers and the government,” she told the Seven Network on Monday.

“It’s extraordinary we don’t have any Medicare numbers or Centrelink numbers that may have been compromised.”

Yet former home affairs minister Karen Andrews said the government’s response to the breach had also been inadequate.

While she did not absolve Optus of its corporate responsibilities, Andrews said the government had “failed quite dismally” in its response.

At least 10,000 parcels of ID data taken in the breach were put on the internet for sale by the hacker but were later taken down.

Cyber Security Minister Clare O’Neil said Optus needed to be up-front about what specific data had been taken.

She said the government did not know how many passport numbers had been stolen.

On Sunday, O’Neil demanded Optus respond to the government’s request for more information so it could help protect Australians from fraud.

The minister also criticised the former Morrison government, describing laws designed to protect Australia’s critical infrastructure from cyber attacks as “absolutely useless”.