Australian internet service provider iiNet has confirmed a cyber incident that exposed the contact details of hundreds of thousands of customers, after an unauthorised third party gained access to its order management system.
The Perth-headquartered company, part of the TPG Telecom group, said the breach was identified and contained on Saturday, 16 August 2025. The compromised system is used to process and track service orders, such as NBN connections, and does not hold sensitive identity or financial information.
In a statement released this week, iiNet said the attack appeared to have resulted in the theft of around 280,000 active customer email addresses and 20,000 active landline numbers. The breach also included 10,000 usernames, street addresses and phone numbers, and approximately 1,700 modem set-up passwords. A larger set of inactive contact details was also believed to be accessed.
The company stressed that no driver’s licences, passports, credit card details or banking information were stored on the affected platform.
“We enacted our incident response plan immediately and engaged external cybersecurity experts to investigate,” iiNet said. “We are working closely with the Australian Cyber Security Centre (ACSC), the National Office of Cyber Security (NOCS), the Office of the Australian Information Commissioner (OAIC) and other relevant authorities.”
iiNet confirmed it is contacting affected customers directly, apologising for the incident and providing guidance on what to do next. The telco has urged customers to be especially cautious of phishing attempts, given the exposed information could be used to craft convincing scam messages.
While iiNet downplayed the sensitivity of the data involved, cyber experts note that email addresses and phone numbers can still be highly valuable to threat actors. Such information is often used in targeted phishing and social engineering campaigns, sometimes as a precursor to identity theft or further account compromise.
“Credentials-based attacks are not new,” according to Tony Jarvis, Field CISO and VP APJ, Darktrace, “nor are they particularly sophisticated. And while insidious and pervasive, they are preventable. Enterprise cybersecurity 101 says access credentials must be routinely updated with strong, unique passwords and MFA enabled.“
Affected customers are being advised to:
- Be alert to suspicious emails, texts or phone calls claiming to be from iiNet or related services.
- Avoid clicking links or downloading attachments from unverified senders.
- Change modem set-up passwords if notified by iiNet that their credentials were exposed.
The breach adds iiNet to the growing list of Australian telecommunications providers targeted by cybercriminals in recent years, following high-profile incidents at Optus in 2022 and Latitude Financial in 2023. The Australian government has since bolstered its national cyber defence measures, but industry experts warn that service providers remain prime targets due to the scale of personal information they manage.
The Office of the Australian Information Commissioner will be monitoring iiNet’s handling of the breach under the Notifiable Data Breaches (NDB) scheme, which requires organisations to inform affected individuals and report to the OAIC when serious data exposures occur.
iiNet said its priority remains the security of its systems and the trust of its customers. “We take this incident extremely seriously and sincerely apologise for the concern it may cause,” the company stated.
Customers with questions or concerns are encouraged to visit iiNet’s website or contact its support team for further information.
