The amount of customer data stolen from Australian company Latitude Financial may grow, with the non-bank lender confirming that drivers licences, passports and Medicare numbers have already been hacked.
The company went public about the cyber attack last Thursday.
It said then that about 330,000 customers were thought to have had their personal information stolen.
Today it reiterated that the vast majority of data thought to have been stolen were copies of licences and their numbers.
However, it said about 5 per cent of what had been confirmed stolen was copies of passports and Medicare cards.
The company said on Monday the scope of what was thought to have been stolen might grow as it continued to review "non-customer originating platforms and historical customer information".
"We are likely to uncover more stolen information affecting both current and past Latitude customers and applicants," it said.
"Latitude encourages our customers to remain vigilant. We will never contact customers requesting their passwords."
"The attack on Latitude is now the subject of an investigation by the Australian Federal Police."
It said also the situation "remains active".
UNSW Institute for Cybersecurity's Associate Professor Rob Nicholls said this was "even more concerning".
"It suggests that Latitude's service providers have not really addressed the problem," he told ABC News.
"It also increases the likelihood of a hybrid attack that is both ransom and theft.
"If the intruders are still in the system, they have an opportunity to encrypt files."
The non-bank lender offers short-term loans, credit cards and travel cards, and buy now pay later services with major retailers, including Apple, Harvey Norman and JB Hi-Fi.
The company has faced anger and criticism from its estimated 2.8 million customers about the cyber attack.
The company's call centre is also offline, apparently due to ongoing security risks after the hack, which is only further upsetting customers.
Latitude says it will today start contacting customers who are thought to have had their data stolen.
It noted the breach affected past and present customers.
Today, Latitude's chief executive Ahmed Fahour apologised to them.
“I sincerely apologise to our customers and partners for the distress and inconvenience this criminal act has caused," he said in today's statement.
"I understand fully the wider concern that this cyber-attack has created within the community.
"While we continue to deliver transactional services, some functionality has been affected resulting in disruption.
"We are working extremely hard to restore full services to our customers and merchant partners and thank them for their patience and support. We understand their frustration."
The incident follows well-publicised breaches on telco Optus and private health insurer Medibank.
Latitude Financial did not reply to questions from ABC News about whether the hackers had asked for a ransom.
Medibank customers' data was posted to the dark web last year after the insurer refused to cough up money to a Russian-linked entity for its stolen data.
The federal government has previously backed the decision of companies not to pay ransoms, and it has also announced plans to overhaul a $1.7 billion cybersecurity plan set up under former prime minister Scott Morrison.
A national cyber office — led by a new coordinator for cybersecurity — will be established under the Home Affairs Department to lead the renewed strategy.
Speaking on Friday, federal Treasurer Jim Chalmers confirmed Latitude was working with relevant federal authorities on the "substantial cyber breach", which is potentially subject to a criminal investigation.
"People are obviously concerned when we have these kinds of data breaches," he said.
"And there's a hunger for information, and I understand that."