Hackers infiltrate and expose personal data of over 280,000 iiNet customers in cyber attack.
In a recent disclosure, Australia's second-largest internet service provider, TPG Telecom, has confirmed a data breach affecting hundreds of thousands of its customers. The breach, which was discovered on Saturday, 16th August 2025, occurred in the order management system of TPG Telecom's subsidiary, iiNet.
Preliminary investigations suggest that the unauthorized access was gained using stolen account credentials from an employee. Infostealers, a type of malware, are suspected to be the method used to obtain the credentials.
The breach exposed 280,000 active iiNet email addresses, 10,000 iiNet usernames, street addresses, and phone numbers, and 1700 modem set-up passwords. In addition to the active data, an unspecified number of "inactive" email addresses and landline numbers were also accessed.
However, TPG Telecom has assured that no identity documents, credit cards, or other financial information have been compromised in the breach. Moreover, a recent study has shown that more than 30,000 Australian banking logins were harvested by infostealer malware between 2021 and 2025.
TPG Telecom has removed the unauthorized access to the system and engaged external IT and cybersecurity experts to assist in the response. The company has also contacted the Australian Cyber Security Centre (ACSC), the National Office of Cyber Security (NOCS), the Australian Signals Directorate (ASD), the Office of the Australian Information Commissioner (OAIC), and other relevant authorities.
The Australian Federal Police (AFP) is alleged to have stolen the password of the affected iiNet employee and may have been involved in the data breach. However, further details about the nature and extent of the data breach have not been disclosed.
The Australian government has been working to improve cybersecurity standards since 2022, with the 2023-2030 Australian Cyber Security Strategy and the passage of the Cyber Security Act in 2024. TPG Telecom notified the Australian Securities Exchange of the incident today.
Customers affected by the data breach have been notified and advised to change their email passwords and modem set-up passwords as a precautionary measure. TPG Telecom has apologised for any inconvenience caused and assured customers that they are committed to protecting their personal information.
This incident serves as a reminder for the importance of cybersecurity and the need for continuous efforts to protect personal data. As more and more of our lives move online, it is crucial that we take steps to secure our digital information.
