In a concerning development for Australian consumers, TPG Telecom’s sub-brand iiNet has fallen victim to a significant data breach. The incident, which came to light on August 19, 2025, has exposed the personal information of hundreds of thousands of current and former customers. This breach serves as another stark reminder of the escalating cyber threats facing businesses and individuals across the country.
What Happened?
According to an ongoing TPG investigation, an unauthorised third party gained access to iiNet’s order management system. Early findings suggest the attacker used stolen account credentials from an iiNet employee to carry out the breach. The compromised data included:
- Approximately 280,000 active iiNet email addresses.
- Around 20,000 active landline phone numbers.
- About 10,000 usernames, street addresses, and phone numbers.
- Approximately 1,700 modem setup passwords.
TPG has confirmed that more sensitive information, such as credit card or banking details, as well as customer identity documents like passports or driver’s licenses, was not stored in the compromised system and is therefore safe.
Industry and Customer Response
The Australian Communications Consumer Action Network (ACCAN), the peak body for communications consumers, has acknowledged the breach and called on all businesses to strengthen their data protection measures. ACCAN CEO Carol Bennett stated, “iiNet customers are the latest to be targeted by online criminals. This incident must prompt all businesses to review how they protect customer data, and to ensure that privacy and security practices are robust enough to prevent this sort of event from happening again.”
Ms. Bennett also emphasised the need for stronger privacy protections, including policies that limit how long customer data is retained. She praised TPG’s quick response and communication with affected customers but highlighted that thousands of cyber breaches occur in Australia each year, underscoring the need for constant vigilance.
What should you do?
With email addresses and phone numbers compromised, there is a heightened risk of targeted phishing scams. TPG is directly contacting affected customers and urging them to take proactive steps to protect their information.
Key recommendations include:
- Be Alert: Exercise extreme caution with all emails and text messages, especially those claiming to be from iiNet or other companies. Do not click on suspicious links or provide any personal information.
- Change Passwords: If you are among the approximately 1,700 customers whose modem setup password was compromised, you should change it immediately. It’s also a good practice to change passwords for any online accounts that may be linked to your iiNet email address.
- Seek Support: Help is available. TPG has established a dedicated hotline for concerned customers. Additionally, IDCARE, Australia’s national identity and cyber support service, offers free, expert advice to those at risk.
Official Contacts for Assistance
- TPG/iiNet Hotline: 1300 861 036
- IDCARE: 1800 595 160
This incident is the latest in a series of high-profile cyberattacks in Australia, following major breaches at companies like Optus and Medibank. It reinforces the urgent need for robust cybersecurity measures across all sectors and for consumers to be aware of the risks and how to protect themselves. TPG has engaged external cybersecurity experts and is working with the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC) as part of its ongoing investigation.
