In one of Australia’s largest cybersecurity breaches, Optus, the country’s second-largest telecommunications provider, announced on Saturday that it was alerting consumers about a cyberattack that had access to the personal information of up to 10 million subscribers.

The company’s chief executive, Kelly Bayer Rosmarin, expressed her rage and regret over an overseas corporation getting the home addresses, license numbers, and passport numbers of the equivalent of 40% of Australia’s population through the company’s client database on Friday.

In an update on Saturday, the company, owned by Singapore Telecommunications Ltd, said it was contacting “all customers to notify them of the previously announced cyberattack’s impact, if any, on their personal details”.

“We will begin with customers whose ID document number may have been compromised, all of whom will be notified by today. We will notify customers who have had no impacts last,” it said in a statement. “No passwords or financial details have been compromised.”

Optus has said corporate customers appeared unaffected by the “sophisticated” hack, which it initially informed customers about on Thursday.

The Sydney Morning Herald on Saturday reported Optus was probing a threat to sell millions of customers’ personal information online unless the company paid $1 million in cryptocurrency to the hackers.

Asked about the report, an Australian Federal Police spokesperson told Reuters that police were aware of reports alleging stolen Optus customer data and credentials may be being sold through a number of forums “including the dark web”.

Optus said as the attack was under police investigation it “cannot comment on certain aspects of the incident”.

The company, declining to give details of how the attacker breached its security, has said the attacker’s IP address – the unique identifier of a computer – appeared to move between countries in Europe.