The breach of an order management system has compromised the details of around 280,000 customers of internet service provider (ISP) iiNet, the company has confirmed as it urges customers to “remain vigilant” for “unusual communications” from scammers.
Detection of the incident, which occurred on Saturday, led the company – a brand of TPG Telecom, Australia’s second largest ISP – to kick off its incident response plan and engage outside IT and cybersecurity experts, the company said.
Initial investigations suggested that an “unknown third party” had extracted a list of email addresses and phones numbers from the order management system.
That system is used to create and track orders for NBN connections and other iiNet services but “contains limited personal information”, iiNet said, emphasising that it doesn’t contain details of customer identity documents such as passports, driver’s licenses, or credit cards.
Around 280,000 “active iiNet email addresses” and 20,000 active landline phone numbers had been taken during the incident, with inactive email addresses and numbers also compromised alongside 10,000 iiNet usernames, street addresses and phone numbers.
Some of the data pertains to people who are no longer customers of iiNet, but had been stored in the system due to “legal, regulatory, or operational requirements,” the company said.
Yet another reminder of our exposure
TPG’s “quick response and the information provided to customers is welcome,” Australian Communications Consumer Action Network (ACCAN) CEO Carol Bennett said as news of the breach emerged, noting that when such breaches do occur “it is important that communication with customers is fast, accurate, and clear.”
“Australians have never been more exposed to cyber threats,” Bennett said, warning that “the potential for harm when companies hold personal information is always present.”
“This incident must prompt all businesses to review how they protect customer data,” she said, “and to ensure that privacy and security practices are robust enough to prevent this sort of event from happening again.”
The incident also raises additional concerns for customers since some 1,700 modem setup passwords had also been taken – raising the spectre of potential follow-on bot attacks that target consumers’ home Internet routers.
This common threat is faced by every homeowner and small business: in 2024, for example, Lumen Technologies identified malware, called TheMoon, which was “abusing outdated and unsupported routers” to support a “cybercriminal focused proxy service” called Faceless.
Expect scammers to swarm
iiNet is contacting customers directly with “support and guidance” about the breach and what they should do now, the company said in advising customers to reset passwords for any online account where they used the same password as they used for iiNet.
Such incidents inevitably become fodder for scammers to target affected victims, with the company warning customers to be “cautious of emails or calls asking for personal information or passwords” and suspicious of any messages claiming to be from iiNet.
“Increasingly sophisticated” scammers “create a sense of urgency to try to get you to disclose sensitive information or to elicit funds from you,” iiNet said, recommending multi factor authentication for banking, social media, email and other accounts “where possible.”
Cyber criminals have proven increasingly adept at capitalising on the proceeds of their data breaches, with many targeting customer support systems and, as in major breaches like that of Qantas, talked their way past security measures to be given clear access to the systems.
Whether such a tactic was used in the iiNet breach is not yet clear, yet while its scope is much smaller than that of Optus – whose 2022 compromise recently saw it sued by the Australian Information Commissioner – the impact on consumers is no less problematic.
iiNet has set up a dedicated hotline (1300 861 036) for customers concerned about the breach.
