TPG Telecom Investigates iiNet Data Breach Impacting Thousands of Customers

August 19, 2025 – TPG Telecom, one of Australia’s leading providers of mobile voice and data services, has confirmed a cybersecurity incident involving its iiNet subsidiary. The breach was linked to unauthorized access to an internal order management system used for creating and tracking iiNet broadband and related services.

Nature of the Breach

According to TPG Telecom, the compromised platform contained personal data such as customer names, email addresses, phone numbers, and home addresses. Fortunately, the system did not store highly sensitive information like payment card details, banking records, or identification documents.

The company stated that preliminary evidence suggests the attackers gained access by using stolen login credentials from a single employee. “At this stage, the unauthorized activity seems limited to the iiNet order management system,” TPG noted.

Data Compromised

Investigators have determined that significant amounts of customer data were exfiltrated by the attackers, including:

  • 280,000 active iiNet email addresses
  • 20,000 active iiNet landline numbers
  • Several inactive email accounts and phone numbers
  • 10,000 iiNet usernames, physical addresses, and phone numbers
  • 1,700 modem setup passwords

While this data set does not include financial information, the exposure of such details still poses risks of phishing attacks, identity fraud, and other malicious activities.

Company Response

TPG Telecom emphasized that, so far, there is no indication of compromise across its broader systems or other customer accounts outside of iiNet. The company has launched a thorough investigation, working with cybersecurity experts to contain the breach, strengthen defenses, and assess the full scope of the incident.

Broader Implications

This case highlights how cybercriminals can exploit a single compromised employee account to gain access to critical systems, underlining the importance of:

  • Strong identity and access management
  • Regular credential hygiene and monitoring
  • Zero-trust security models to limit lateral movement

Data breaches of this kind serve as a reminder that attackers often target less obvious but highly valuable internal systems—such as order management or CRM tools—because they hold large amounts of customer data without necessarily having the same security controls as core financial platforms.

What Comes Next

TPG Telecom has committed to keeping affected customers informed and providing guidance on protective measures against potential misuse of their personal information. As the investigation continues, the company is expected to implement stronger identity controls and expand security awareness efforts across its workforce.

Source: https://www.securityweek.com/australias-tpg-telecom-investigating-iinet-hack