Peter A Clarke

Another day, another data breach in Australia. This time iiNet has announced that it has suffered a data breach. Mode of entry, use of employee credentials to get into iiNet’s order management system. The breach is reported by the Australian in iiNet latest Aussie company to be hit by hackers. iiNet released a media release earlier today titled Cyber incident involving iiNet customers. As is the way the story has been covered across the media with News.com.au, Information Age, Australian Cyber Security Magazine, AFR, Cyber Daily amongst others.

This data breach will be hugely embarrassing for iiNet.  It’s whole image is based around being more accessible (not in that way) and different from other telco providers.  And better in a geekier more friendly but more efficient sort of way.  Now it finds itself suffering the sort of data breach other big organisations suffer.  

iiNet’s media statement is quite good.   For Australia.  It provides some detail of what happened and how though much is not revealed.  That will be revealed if the Privacy Commissioner takes action or there is a class action.  But being as transparent as possible is preferable to saying virtually nothing as Genea has done with its much more serious data breach.  iiNet provided detail of the nature of the personal information stolen; emails (280,000), phone numbers (20,000) and user names, streeet addresses (10,000) and modem set up passwords (1,700).  Distressing and damaging as that may be it did not involve financial information, dates of birth and any other personal information.  iiNet has been more specific than most in how it responded.  It can’t help itself in advising how it is liasing with the ACSC, the NOCS and the OAIC.  On a more relevant note it has set up a dedicated hotline.  That is an excellent initiative.  By contrast Genea has been very difficult to contact and responses have been wholly unhelpful, enraging patients.   It provided some preliminary advice on what to do and answering frequently asked questions.  Interestingly iiNet responds to the question as to why it was holding information on people who are no longer customers of iiNet.  The answer is somewhat mealy mouthed including being due “to legal, regulatory, or operational requirements.” Mmmm.  

The statement provides:

iiNet has been impacted by a cyber incident involving unauthorised access to its order management system by an unknown third party.

The iiNet ordering system is used to create and track orders for iiNet services, such as NBN connections. The system contains limited personal information. Importantly, it does not contain copies or details of customer identity document details (such as passport or driver’s licences), credit card or banking information.

What we are doing

Upon confirmation of this incident on Saturday, 16 August 2025, we enacted our incident response plan, began work to ensure the security of the system and to determine what occurred. We have engaged external IT and cyber security experts to assist with our investigation.

We are making direct contact with affected customers to apologise and inform them of this incident, and to provide support and guidance on what to do next.

We are also liaising with the Australian Cyber Security Centre (ACSC), the National Office of Cyber Security (NOCS), the Office of the Australian Information Commissioner (OAIC) and other relevant authorities in response to this incident.

What personal information has been accessed in this incident?

Based on the current evidence from our forensic experts, it appears a list of email addresses and phone numbers was extracted from the iiNet system. The list contained around 280,000 active iiNet email addresses and around 20,000 active iiNet landline phone numbers, plus inactive email addresses and numbers. In addition, around 10,000 iiNet usernames, street addresses and phone numbers and around 1,700 modem set-up passwords, appear to have been accessed.

What should customers do?

iiNet urges our customers to remain vigilant, especially to any suspicious communications received via email, text or phone call. If in doubt, contact iiNet directly or seek independent advice from trusted sources, including the Australian Cyber Security Centre at cyber.gov.au.

We have set up a dedicated hotline at 1300 861 036 so customers can reach us if they have any concerns.

We will continue to share updates direct with customers, on our website and via the media and our social channels.

Frequently asked questions

What steps can I take to keep my information safe and secure after this incident?

• • Be alert to any unusual communications claiming to be from iiNet.
  • Reset the passwords for your online accounts where you have used the same password as this incident.
  • Always use strong, unique passwords for all your accounts including any financial services accounts and update them regularly.
  • Enable multi-factor authentication for your online accounts where possible, including your email, banking, and social media accounts.
  • Be cautious of emails or calls asking for personal information or passwords.
  • Do not share your personal information with anyone (unless you are confident about who you are sharing it with).
  • Ensure you have up-to-date anti-virus software installed on any device you use to access your online accounts.

How do I reset my iiNet password?

You can reset your iiNet password in a few simple steps. We have a password reset support page that walks you through how to create a new password for your iiNet account

What do I need to know about scam calls and phishing emails?

Scam calls, texts and phishing emails are becoming increasingly sophisticated and can appear to come from legitimate email addresses or phone numbers with local area codes. They will often claim to be contacting you from a reputable organisation, such as a government entity, bank, or telecommunications agency. They will also create a sense of urgency to try to get you to disclose sensitive information or to elicit funds from you.

How can I identify a suspicious URL?

• • When on a webpage asking for your login credentials, take note of the web address or URL. The URL is located in the address bar of your web browser and typically starts with ‘https://’.
  • If you are suspicious of a URL, do not provide your login details. Contact the entity through the usual channels to ensure you are logging into the correct web page.
  • Keep in mind: we will never contact you to ask for your username or password.

I’m no longer an iiNet customer. Why was my information compromised?

The incident involved a system that contained historical customer records. While you may not be an iiNet customer anymore, some of your information remained stored due to legal, regulatory, or operational requirements.

How can I contact iiNet for support?

We have set up a dedicated hotline so customers can reach us if they have any concerns.

Call: 1300 861 036

Hours: Monday-Friday 8.30am-8.00pm and Saturday-Sunday 9.00am-5.00pm AEST

More resources

• • https://www.oaic.gov.au/privacy/data-breaches/data-breach-support-and-resources/
  • https://www.oaic.gov.au/privacy/data-breaches/data-breach-support-and-resources/
  • https://www.cyber.gov.au/protect-yourself
  • https://www.cyber.gov.au/report-and-recover/have-you-been-hacked

The Australian article, borrowing heavily from its media statement, provides:

TPG said that hackers used stolen employee credentials to access iiNet’s order management system on Saturday, stealing a cache of customers contact information and passwords.

The strike comes as former Prime Minister Malcolm Turnbull lambasted a pervasive culture of complacency for fuelling a spate of high-profile cyber attacks — including the strikes on super funds and Qantas — urging directors and executives to be more hands-on in protecting Australians customers.

TPG chief executive Inaki Berroeta said: “We unreservedly apologise to the iiNet customers impacted by this incident”.

“We are continuing our investigations to ensure we understand all details surrounding this incident. We will begin contacting customers to make them aware of the incident, apologise and provide details on the support available.”

iiNet joins a growing list of companies including Qantas and Medibank that have been targeted by hackers, and is the second big telco to be hit after cyber criminals stole almost 10 million customer records from Optus in late 2022.

Despite the strikes, Mr Turnbull told this masthead before TPG’s attack that politicians and business leaders aren’t taking the breaches seriously enough, saying many are “treating ransomware attacks as just a cost of doing business”.

His urgent message: cyber security isn’t an IT problem, it’s an executive failure, demanding immediate boardroom-to-browser action to avoid catastrophic consequences, including identity fraud, loss of essential infrastructure and steep financial losses.

“Complacency is a real issue, and the fact that Australian companies are getting attacked repeatedly indicates that they’re not taking the threat seriously enough. If you are treating ransomware attacks as a ‘cost of doing business’, all you’re going to do is encourage more ransomware attacks. So the one message I would have is that if you are a director of a business or an owner, you have a duty to do everything you reasonably can to protect your company from cyber attacks,” Mr Turnbull said.

TPG said that it took immediate action following the breach.

“Upon confirmation of this incident on Saturday, 16 August, we enacted our incident response plan, began work to ensure the security of the system and to determine what occurred. We have engaged external IT and cyber security experts to assist with our response to the incident.

“Our teams have been working around the clock to understand the full scope of customer data affected by this breach, and how this might impact them.

“We are making direct contact with affected customers to inform them of this incident, and to provide support and guidance on what to do next.

TPG said based on the current evidence from its forensic experts, “most of this data is of a non-identifying nature and used to authenticate and activate orders for iiNet services”.

“The list contained around 280,000 active iiNet email addresses and around 20,000 active iiNet landline phone numbers, plus inactive email addresses and numbers. In addition, around 10,000 iiNet user names, street addresses and phone numbers and around 1700 modem set-up passwords, appear to have been accessed.

“We can confirm no credit, banking or financial information have been compromised. No driver’s license numbers, ID documentation details, or bank account details were disclosed as a result of this incident.”

TPG said it was working with the Australian Cyber Security Centre, the National Office of Cyber Security, the Australian Signals Directorate, the Office of the Australian Information Commissioner and other relevant authorities.

TPG urged customers to remain vigilant, especially to any suspicious communications received via email, text or phone call.

“We have set up a dedicated hotline at 1300 861 036 so customers can reach us if they have any concerns. A dedicated information page on our website has also been established to provide the latest updates about the incident.”