iiNet

Summary

iiNet, an Australian ISP owned by TPG Telecom, suffered a data breach on 16 August 2025 when an unknown third party gained unauthorised access to its order management system using stolen employee credentials. The breach exposed data of approximately 280,000 customers, including active email addresses, landline phone numbers, street addresses, usernames, and modem setup passwords. No credit cards, banking details, or identity documents were compromised.

What Happened

On 16 August 2025, iiNet detected unauthorised access to its order management system. Early investigations revealed that the attacker gained access using stolen account credentials from an employee. The compromised data included approximately 280,000 active iiNet email addresses, around 20,000 active iiNet landline phone numbers, plus inactive email addresses and numbers. Additionally, around 10,000 iiNet usernames, street addresses and phone numbers, and approximately 1,700 modem setup passwords were accessed.

Impact on Individuals

Approximately 280,000 iiNet customers had their contact information exposed. The breach included active and inactive email addresses, landline phone numbers, street addresses, usernames, and modem setup passwords. TPG Telecom confirmed that no credit cards, banking details, or customer identity documents such as passports or driver licences were exposed, as that information was not held in the compromised system.

Organisational Response

Upon confirming the incident on 16 August 2025, iiNet immediately enacted its incident response plan and removed the unauthorised access to the system. TPG Telecom engaged external IT and cybersecurity experts to assist with the response and investigation. TPG Telecom CEO Iñaki Berroeta issued an unreserved apology to affected customers and stated the company would continue investigations to understand all details surrounding the incident.