iinet suffers data breach

June 9, 2015 |

With the passage of the metadata laws Australian telcos will be soon storing a huge amount of personal information belonging to Australians.  It is a huge task and a massive potential risk if there is a data breach. There is also the potential honeypot effect, with hackers knowing that a very significant amount of information will know be stored by telcos. In that context it is concerning that iinet has reportedly suffered a data breach in iiNet alert over security breach.  Interestingly the knowledge of the breach came about as a result of the hacker offering to sell personal information.  That is more common than one might think.  If there was a breach it will be very interesting to see how the Privacy Commissioner deals with it.  He now has significantly greater powers to take action for breaches of the Australian Privacy Principles.  He has always had the power under section 98 of the Privacy Act to seek injunctive relief which can compel action as well as prohibiting action.

The article provides:

Perth internet provider iiNet is investigating a possible security breach after details were posted on social media about the sale of the database of a major internet service provider.

Cyber War News posted an image on Twitter yesterday detailing claims of the sale or trade of an extensive amount of westnet.com.au’s database, including passwords. Westnet was acquired in May 2008 by iiNet.

The person offering to sell the details is known only by their two Jabber instant messaging contact addresses: rain@dlab .im and mufasa@tigase.im.

“I am selling the db (database) of a major ISP in Australia,” the person wrote. “Those interested can contact me via Jabber.”

The data could potentially be used to reveal personal details such as phone numbers, addresses and credit card details.

iiNet chief information officer Matthew Toohey said last night the company was investigating.

Itnews has also reported on the breach in iiNet investigates alleged theft of customer database which provides:

Hacker claims to have data to sell.

An unknown hacker claims to have breached iiNet subsidiary Westnet and accessed a large database of information including customer data.

The hacker – who goes under the moniker Mufasa The God – is offering the data for sale in an online forum, claiming it contains unencrypted passwords.

The attacker did not post any sample information from the database, and is yet to name a price for the information.

The claims were first spotted by Sydney-based infosec watcher Cyber War News on Twitter, which posted a screenshot of the hacker’s sales offer.

iiNet chief information officer Matthew Toohey told iTnews the provider had been made aware of a possible security breach on a Westnet system and was currently investigating.

“Our customers’ privacy and security is our highest priority and we will advise customers if any action is required,” Toohey said.

He did not provide any further detail on the intrusion – including the number of potential customers affected – or if a mass customer password reset was required.

However in an email to customers, iiNet advised users to change their passwords.

“Customer username, address, telephone and, in some cases, password information may have been accessed, however, no payment details were stored on the server. The system is now offline and at no further risk,” iiNet advised.

“As a precautionary measure we recommend you change the passwords associated with your Westnet email addresses immediately to prevent any unauthorised access.”

The hacker appeared to be offline and uncontactable over the long weekend.

iiNet acquired Westnet for $81 million in 2008.

One Response to “iinet suffers data breach”

  1. iinet suffers data breach | Australian Law Blogs

    […] iinet suffers data breach […]

Leave a Reply