Australian ISP iiNet Suffers Breach of 280,000+ Records

Australia's second-largest internet service provider (ISP), iiNet, has revealed a major data breach impacting hundreds of thousands of customers. The breach was discovered on Saturday, August 16, 2025, and parent company TPG Telecom notified the Australian Securities Exchange of the incident today.

According to TPG Telecom, an "unknown third party" managed to gain unauthorized access to an order management system at subsidiary iiNet. The breach was contained after the company enacted its incident response plan and removed the unauthorized access from the system. External IT and cybersecurity experts have been engaged to assist with the response to the incident.

TPG Telecom claimed that the order management system contains "limited" personal information on customers, but no identity documents, credit cards, or other financial information were compromised. However, the breach exposed sensitive data including the stolen account credentials of an iiNet employee, which were used by the unauthorized third party to gain access to the system.

It is unclear exactly how the iiNet employee's credentials were obtained, but infostealers are a growing threat in Australia. A recent study found that infostealer malware had harvested the banking logins of more than 30,000 Australians between 2021 and 2025. This highlights the need for improved cybersecurity standards across the country.

The Australian government has been trying to improve cybersecurity standards since a spate of data breach incidents dating back to 2022. In 2023, the Australian Cyber Security Strategy was launched, setting out a roadmap for Australia to become a "world leader" in cyber by 2030. In 2024, lawmakers passed the Cyber Security Act – Australia's first standalone piece of cybersecurity legislation.

TPG Telecom has reached out to various authorities, including the Australian Securities Exchange, the Australian Cyber Security Centre (ACSC), the National Office of Cyber Security (NOCS), the Australian Signals Directorate (ASD), and the Office of the Australian Information Commissioner (OAIC). The company is committed to investigating the incident further and ensuring that its customers' personal data is protected.

The breach serves as a reminder of the importance of cybersecurity for organizations, especially those handling sensitive customer information. It also highlights the need for continued vigilance from individuals in protecting their online accounts and credentials.