TPG Telecom confirms that a cyber incident affecting its iiNet subsidiary exposed the personal data of approximately 280,000 customers, marking one of the most significant breaches reported in Australia this year.
TPG Telecom, formerly known as Vodafone Hutchison Australia, is the country’s second largest telecom provider and the parent company of iiNet. It has a recorded revenue of AU$5.54B in 2024 and a market cap of AU$9.86B.
In a filing to the Australian Securities Exchange (ASX) today, TPG said an unknown third party gained unauthorized access to an iiNet order management system on August 16, using “stolen account credentials” from a single employee. The system is used to create and track broadband and related service orders, TPG said.
In a separate announcement from iiNet, the company said, the investigation supported by external cybersecurity experts revealed that attackers accessed “limited” personal information. This includes around 280,000 active iiNet email addresses, 20,000 active landline phone numbers, as well as approximately 10,000 usernames, residential addresses and contact numbers. In addition, about 1,700 modem setup passwords were compromised.
The exposed system did not contain identity documents such as passports or driver’s licenses, nor any credit card or banking data, the telecom giant said.
iiNet said it moved quickly to disable unauthorized access once the intrusion was identified and has engaged with the Australian Cyber Security Centre (ACSC), the National Office of Cyber Security (NOCS), the Australian Signals Directorate (ASD), and the Office of the Australian Information Commissioner (OAIC) as part of its response.
iiNet has begun directly contacting affected customers to advise them of next steps, including increased vigilance against phishing emails and phone scams, which are common after breaches of this nature. Customers not impacted by the incident will also be contacted to confirm their data remains secure.
While the breach appears to have been contained within the iiNet order management system, the scale of the compromise adds further pressure on Australia’s telecommunications sector, which has faced repeated cyber incidents in recent years. Most notably, the 2022 Optus breach exposed the data of 9.8 million customers, sparking regulatory reform and civil penalty action against the carrier.
Read: Australian Information Commissioner Seeks Civil Penalty Action Over 2022 Optus Data Breach
TPG Telecom apologized to affected iiNet customers, saying:
“We unreservedly apologize to our iiNet customers impacted by this incident. We will be taking immediate steps to contact impacted iiNet customers, advise of any actions they should take, and offer our assistance.” (sic)
For now, TPG maintains there is no evidence the attackers gained access to broader TPG systems or customer bases beyond iiNet. Still, the breach shows the persistent risks around credential theft and highlights the importance of multi-factor authentication and stronger access controls across critical business systems.
