- Attackers used stolen employee logins to break into iiNet’s order system and extract user data.
- The exposed about 280,000 email addresses, 20,000 numbers and 10,000 usernames with street addresses.
What happened:TPG Telecom in Australia confirmed a cyber incident in its iiNet order system
TPG Telecom, which is the second biggest internet provider in Australia, said on 19 August that there was a cyber incident in the order management system of its iiNet brand. Hackers entered the system by using stolen employee logins. They moved through the system and collected information that was stored there.
The data that was exposed included around 280,000 active iiNet email addresses and around 20,000 active landline numbers. It also included about 10,000 usernames with names, home addresses, and phone numbers, and there were also some modem set-up passwords.
TPG said that no sensitive documents and no banking details were stored in the system. TPG also said that there is no sign that the breach reached other systems. After the breach was confirmed TPG worked with outside cyber experts and shut down access to the system so the attacker could not reach it anymore.
Also read: TPG telecom sends first satellite text via Vodafone network
Also read: Vocus secures government greenlight for $3.4B TPG telecom deal
Why it’s important
The shows that a system that is not built to store sensitive data can still be used to leak large amounts of user information. It shows that employee login details are often the weak point in company security.
In Australia the issue of cyber security has already grown because of big breaches at Optus and Medibank which affected millions of people and created debate about how companies store and protect data.
This latest event adds to that pressure and shows again that telecom firms are still prime targets. TPG tried to ease concern by explaining that the breach was only in iiNet’s order system and that no financial or ID details were taken. The company also pointed out that it acted quickly with experts to secure the breach and that it was in contact with regulators.
