iiNet, an Australian Internet Service Provider, experiences data breach involving over 280,000 records.
In a shocking turn of events, Australia's second-largest internet service provider, TPG Telecom, has announced a data breach affecting hundreds of thousands of its customers. The breach was discovered on August 16, 2025, and it appears to have been contained to the order management system of TPG Telecom's subsidiary, iiNet.
Preliminary investigations suggest that the unauthorized access was gained using stolen account credentials from an employee. Infostealers, a type of malware, are suspected as a potential means by which the employee's credentials were obtained.
The data breach has resulted in the unauthorized access of more than 30,000 active iiNet landline phone numbers, 280,000 active iiNet email addresses, 10,000 iiNet usernames, street addresses, and phone numbers, and 1700 modem set-up passwords. An unspecified number of "inactive" email addresses and landline numbers were also accessed.
However, TPG Telecom has assured its customers that no identity documents, credit cards, or other financial information have been compromised in the breach. The order management system contains limited personal information on customers, which likely explains why sensitive data was not exposed.
In response to the incident, TPG Telecom has engaged external IT and cybersecurity experts, including PwC, to handle the incident related to the iiNet data breach. The company has also contacted the Australian Cyber Security Centre (ACSC), the National Office of Cyber Security (NOCS), the Australian Signals Directorate (ASD), the Office of the Australian Information Commissioner (OAIC), and other relevant authorities regarding the data breach.
This data breach comes at a time when the Australian government has been working to improve cybersecurity standards. Since 2022, the government has been making strides in this area, including the release of the 2023-2030 Australian Cyber Security Strategy and the passing of the Cyber Security Act in 2024. The Cyber Security Act is Australia's first standalone piece of cybersecurity legislation.
It's important to note that this isn't the first time infostealers have been used in Australia. A recent study revealed that more than 30,000 Australian banking logins were harvested by infostealer malware between 2021 and 2025.
TPG Telecom is currently working to inform affected customers and provide them with guidance on protecting their personal information. The company urges its customers to be vigilant and to report any suspicious activity to the relevant authorities.
As the investigation into the data breach continues, TPG Telecom remains committed to ensuring the security of its customers' personal information and to taking all necessary steps to prevent such incidents in the future.
