Australia’s second-largest ISP has revealed a major data breach impacting hundreds of thousands of customers.
Parent company TPG Telecom notified the Australian Securities Exchange of the incident today. It said an “unknown third party” managed to gain unauthorized access to an order management system at subsidiary iiNet, in a breach discovered on Saturday.
“Upon confirmation of the incident on Saturday, 16 August 2025, we enacted our incident response plan and removed the unauthorized access to the system. TPG Telecom has engaged external IT and cybersecurity experts to assist with our response to the incident,” noted the letter.
“At this time, the unauthorized access appears to have been contained to the iiNet order management system. Early investigations suggest the unauthorized access was gained using stolen account credentials from an employee.”
TPG Telecom claimed the order management system contains “limited” personal information on customers, with no identity documents, credit cards or other financial information compromised.
However, it did admit that the unauthorized third party got hold of:
- 280,000 active iiNet email addresses
- 20,000 active iiNet landline phone numbers
- 10,000 iiNet usernames, street addresses and phone numbers
- 1700 modem set-up passwords
- An unspecified number of “inactive” email addresses and landline numbers
The telecoms giant said it has contacted the Australian Cyber Security Centre (ACSC), the National Office of Cyber Security (NOCS), the Australian Signals Directorate (ASD) and the Office of the Australian Information Commissioner (OAIC), alongside other relevant authorities.
It’s unclear exactly how the iiNet employee’s credentials were obtained, although infostealers are a growing threat. The banking logins of more than 30,000 Australians were harvested by infostealer malware between 2021 and 2025, according to one recent study.
The Australian government has been trying to improve cybersecurity standards across the country since a spate of data breach incidents dating back to 2022.
First came the 2023-2030 Australian Cyber Security Strategy, which sets out a roadmap for Australia to become a “world leader” in cyber by 2030. Then, in 2024, lawmakers passed theCyber Security Act – Australia’s first standalone piece of cybersecurity legislation.