Another Australian telecommunications giant has suffered a major cyber security incident, as TPG reveals an email hosting service used by up to 15,000 business customers has been breached.
TPG Telecom says it was made aware of the incident on 13 December when its external cyber security advisers, Mandiant, brought forth evidence of unauthorised access to a Hosted Exchange service used for iiNet and Westnet business customers.
Hosted Exchange is a Microsoft service used by providers in the telecommunications industry, such as iiNet and Westnet, to provide email hosting services to customers.
The service affected in this breach hosts email accounts for up to 15,000 iiNet and Westnet business customers.
In a release to the Australian Securities Exchange (ASX) on 14 December, TPG said the "threat actor" behind the incident appeared to be aiming for customers' cryptocurrency and financial information.
The company is yet to disclose the full extent of the attack, meaning it is currently unclear as to whether customer data or email accounts were successfully compromised. An investigation is currently underway.
"We apologise unreservedly to the affected iiNet and Westnet Hosted Exchange business customers," said TPG Telecom.
"We continue to investigate the incident and any potential impact on customers, and are advising customers to take necessary precautions."
TPG also says it has implemented measures to halt the unauthorised access, and has put in place further security measures more broadly.
The incident reportedly does not affect any home or personal iiNet or Westnet products such as broadband or mobile.
The process of contacting all affected customers on the Hosted Exchange service is underway, and relevant government authorities have been notified.
One after the other
Australia is in the midst of an unprecedented wave of cyber crime against large organisations, and telecommunications companies have been a recurrent target.
It began in September with the landmark data breach against Optus which affected up to 9.8 million current and former customers.
Since then, Australian giants such as Medibank and LJ Hooker have experienced major data breaches of their own.
Telstra, which is arguably TPG's biggest rival, has appeared twice in the news over the last three months for two separate data breaches.
The first was an incident wherein approximately 30,000 Telstra staff records dating back to 2017 appeared on the same hacker forum linked to the Optus attack.
The data consisted of names and email addresses belonging to both current and former staff, and the breach reportedly stemmed from a previously used third-party platform related to a staff reward program.
Telstra then reported a second data breach in December, wherein an internal mistake led to the exposure of more than 130,000 customers' personal details.
The telecommunications provider said this second breach was not a result of malicious activity, but rather a "misalignment of databases."
In response to the ongoing wave of data breaches against companies such as Optus, TPG, and Telstra, the Australian Government has fast-tracked new legislation to help deter further incidents.
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 passed both houses of Parliament in late November, introducing fines of $50 million to companies for "serious or repeated" privacy breaches.
Further, the bill introduces new powers to the Office of the Australian Information Commissioner, Australia's privacy watchdog, to better combat future data breaches.
If you are an iiNet or Westnet customer concerned that your email or data may have been impacted by this breach, TPG has said it will be "communicating with directly affected customers" as more information becomes available.