'Limited' data leak at Aussie telco turns out to be 280K customer details
(2025/08/20)
- Reference: 1755708307
- News link: https://www.theregister.co.uk/2025/08/20/tpg_telecom_iinet_breach/
- Source link:
Aussie telco giant TPG Telecom has opened an investigation after confirming a cyberattack at subsidiary iiNet.
It said the "cyber incident" was contained on August 16, and the attackers were ousted from iiNet's systems, but called in outside help to manage the cleanup.
Stolen credentials
TPG, which acquired iiNet in 2015, said the intrusion took place after the credentials belonging to a single employee were stolen.
Cyberattacks begin in various ways, but the abuse of genuine staff credentials is one of the most common, and there are plenty of ways of acquiring the keys to a company's systems.
Phishing's prevalence is well-known in the cred-snatching game, but in recent years infostealer malware has emerged as an [1]equally serious threat to organizations.
It's one that global authorities are [2]fighting as vehemently as the likes of ransomware, primarily because the two are so interlinked.
A regular precursor to ransomware attacks, [3]infostealers are often spread through compromised websites or [4]phishing emails, and are capable of quietly scooping up usernames and passwords en masse, making them a valuable tool for serious cybercriminals.
They're cheap, too. When Dutch cops [5]took down the Redline and Meta infostealers last year, security shops said that budding cybercrooks could pick up a copy of either for as little as $150.
At present, the attack is thought to be isolated to iiNet's order creation and tracking system, and contained only "limited personal information."
"Limited" is doing a lot of heavy lifting, as the company went on to say that it looks like the attackers copied a trove of active customer email addresses – about 280,000.
That doesn't include the approximately 20,000 active iiNet landline phone numbers, or the 10,000 customer usernames, street addresses, and phone numbers, and roughly 1,700 modem setup passwords.
[6]
An undisclosed number of inactive email addresses and phone numbers were also swiped, TPG said.
[7]
[8]
"We unreservedly apologise to our iiNet customers impacted by this incident," it [9]told [PDF] the Australian Securities Exchange on Tuesday. "We will be taking immediate steps to contact impacted iiNet customers, advise of any actions they should take, and offer our assistance.
[10]Cyberattack on Dutch prosecution service is keeping speed cameras offline
[11]Law and water: Russia blamed for US court system break-in and Norwegian dam drama
[12]Ransomware crew spills Saint Paul's 43GB of secrets after city refuses to cough up cash
[13]Manpower franchise discloses data theft after RansomHub posts alleged stolen data
"We will also contact all non-impacted iiNet customers to confirm they have not been affected. We do not currently have any evidence to suggest an impact to our broader systems or other customers."
TPG Telecom operates some of the biggest brands in Australia, and is the second-largest listed telco in the country behind Telstra.
In addition to iiNet, it owns Vodafone, Lebara, Internode, Felix Mobile, AAPT, and its eponymous provider, TPG.
[14]
Per its most recent annual report, it delivers mobile services to 5.51 million subscribers and internet services to 2.08 million across all of its brands. ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2025/07/07/phishing_platforms_infostealers_blamed_for/
[2] https://www.theregister.com/2025/05/21/lumma_infostealer_service_busted/
[3] https://www.theregister.com/2025/02/26/hibp_adds_giant_infostealer_trove/
[4] https://www.theregister.com/2025/04/23/stolen_credentials_mandiant/
[5] https://www.theregister.com/2024/10/28/dutch_cops_pwn_the_redline/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aKZFeVKwEP6FaQtMSQSNjwAAAIw&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aKZFeVKwEP6FaQtMSQSNjwAAAIw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aKZFeVKwEP6FaQtMSQSNjwAAAIw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://wcsecure.weblink.com.au/pdf/TPG/02980096.pdf
[10] https://www.theregister.com/2025/08/15/cyberattack_on_dutch_prosecution_service/
[11] https://www.theregister.com/2025/08/14/law_and_water_russia_blamed/
[12] https://www.theregister.com/2025/08/13/ransomware_crew_spills_saint_pauls/
[13] https://www.theregister.com/2025/08/12/manpower_franchise_data_breach/
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aKZFeVKwEP6FaQtMSQSNjwAAAIw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[15] https://whitepapers.theregister.com/
It said the "cyber incident" was contained on August 16, and the attackers were ousted from iiNet's systems, but called in outside help to manage the cleanup.
Stolen credentials
TPG, which acquired iiNet in 2015, said the intrusion took place after the credentials belonging to a single employee were stolen.
Cyberattacks begin in various ways, but the abuse of genuine staff credentials is one of the most common, and there are plenty of ways of acquiring the keys to a company's systems.
Phishing's prevalence is well-known in the cred-snatching game, but in recent years infostealer malware has emerged as an [1]equally serious threat to organizations.
It's one that global authorities are [2]fighting as vehemently as the likes of ransomware, primarily because the two are so interlinked.
A regular precursor to ransomware attacks, [3]infostealers are often spread through compromised websites or [4]phishing emails, and are capable of quietly scooping up usernames and passwords en masse, making them a valuable tool for serious cybercriminals.
They're cheap, too. When Dutch cops [5]took down the Redline and Meta infostealers last year, security shops said that budding cybercrooks could pick up a copy of either for as little as $150.
At present, the attack is thought to be isolated to iiNet's order creation and tracking system, and contained only "limited personal information."
"Limited" is doing a lot of heavy lifting, as the company went on to say that it looks like the attackers copied a trove of active customer email addresses – about 280,000.
That doesn't include the approximately 20,000 active iiNet landline phone numbers, or the 10,000 customer usernames, street addresses, and phone numbers, and roughly 1,700 modem setup passwords.
[6]
An undisclosed number of inactive email addresses and phone numbers were also swiped, TPG said.
[7]
[8]
"We unreservedly apologise to our iiNet customers impacted by this incident," it [9]told [PDF] the Australian Securities Exchange on Tuesday. "We will be taking immediate steps to contact impacted iiNet customers, advise of any actions they should take, and offer our assistance.
[10]Cyberattack on Dutch prosecution service is keeping speed cameras offline
[11]Law and water: Russia blamed for US court system break-in and Norwegian dam drama
[12]Ransomware crew spills Saint Paul's 43GB of secrets after city refuses to cough up cash
[13]Manpower franchise discloses data theft after RansomHub posts alleged stolen data
"We will also contact all non-impacted iiNet customers to confirm they have not been affected. We do not currently have any evidence to suggest an impact to our broader systems or other customers."
TPG Telecom operates some of the biggest brands in Australia, and is the second-largest listed telco in the country behind Telstra.
In addition to iiNet, it owns Vodafone, Lebara, Internode, Felix Mobile, AAPT, and its eponymous provider, TPG.
[14]
Per its most recent annual report, it delivers mobile services to 5.51 million subscribers and internet services to 2.08 million across all of its brands. ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2025/07/07/phishing_platforms_infostealers_blamed_for/
[2] https://www.theregister.com/2025/05/21/lumma_infostealer_service_busted/
[3] https://www.theregister.com/2025/02/26/hibp_adds_giant_infostealer_trove/
[4] https://www.theregister.com/2025/04/23/stolen_credentials_mandiant/
[5] https://www.theregister.com/2024/10/28/dutch_cops_pwn_the_redline/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aKZFeVKwEP6FaQtMSQSNjwAAAIw&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aKZFeVKwEP6FaQtMSQSNjwAAAIw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aKZFeVKwEP6FaQtMSQSNjwAAAIw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://wcsecure.weblink.com.au/pdf/TPG/02980096.pdf
[10] https://www.theregister.com/2025/08/15/cyberattack_on_dutch_prosecution_service/
[11] https://www.theregister.com/2025/08/14/law_and_water_russia_blamed/
[12] https://www.theregister.com/2025/08/13/ransomware_crew_spills_saint_pauls/
[13] https://www.theregister.com/2025/08/12/manpower_franchise_data_breach/
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/networks&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aKZFeVKwEP6FaQtMSQSNjwAAAIw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[15] https://whitepapers.theregister.com/
'limited' damage?
I might have the answer: the Board looked at the problem and quickly established that none of them were mentioned in the data export. Therefore the leak was indeed limited - limited to just customer security data. Big sighs of relief all round.