Australian iinet suffers a data breach

---

Overview

• Incident Date: Attack detected August 16, 2025; public disclosure August 19-20, 2025.
• Company Affected: iiNet, a major Australian ISP, subsidiary of TPG Telecom.
• Incident Type: Unauthorized access (not ransomware), tied to credential theft.

Breach Scope

• System Targeted: iiNet’s order management system — not the company’s wider IT network.
• Customer Records Impacted:
• About 280,000 active iiNet customer email addresses were accessed.
• Approx. 20,000 active landline phone numbers compromised.
• Roughly 10,000 records containing usernames, street addresses, and phone numbers.
• Around 1,700 modem setup passwords.
• Indeterminate number of inactive email addresses and phone numbers.

Critically, no banking, credit card, or government-issued identification details were stored in this system. Financial data and sensitive ID were not exposed.

Attack Vector & Methodology

• Attacker utilized stolen employee credentials to sign into the order management system.
• Access was limited to this specific internal application, with no evidence of wider system compromise.
• Initial investigation does not indicate privilege escalation or lateral movement within iiNet’s environment beyond this application.

Company Response

• iiNet identified the breach and activated its incident response process immediately.
• Attacker access was revoked and external specialist support was engaged for forensic analysis.
• All relevant Australian government authorities were notified: ACSC, NOCS, OAIC.
• iiNet obtained an interim injunction restraining publication or access to any stolen data by third parties.

Communication & Remediation

• Impacted customers are being informed directly.
• A dedicated support hotline was set up (1300 861 036).
• Customers not impacted are also being notified for reassurance.
• Ongoing investigation includes a review of employee credential hygiene and order system access controls.

Advice for Customers (and Security Professionals)

• Vigilance for targeted phishing, scam calls, or suspicious emails is recommended.
• Monitor linked accounts for unusual authentication attempts or communications referencing iiNet.
• Change passwords for connected services and review account security where possible.

Lessons & Takeaways

• Credential theft remains a major attack vector especially for critical systems with legacy access models.
• Segmentation and regular audit of employee credentials are foundational controls.
• Rapid containment, notification, and legal action (injunction) helped reduce further data exposure risks.
• Incident underscores the need for ongoing employee security training and multi-factor authentication for sensitive systems.

Ongoing Actions & Next Steps

• Forensics and root cause analysis are continuing.
• iiNet is supporting customers and reviewing its order management protocols.
• Updates will follow as investigation and remediation progress.