Following in the shadow of recent large-scale data hacks of Medibank and Optus, the TPG-owned iiNet has fallen victim to hackers with around 280,000 customers impacted.
TPG reports that the attack took place on Saturday, with hackers using stolen employee credentials to access iiNet’s order management system.
According to TPG, its forensic experts believe that “most of this data is of a non-identifying nature and used to authenticate and activate orders for iiNet services”.
Stolen data includes:
• An approximate 280,000 active iiNet email addresses
• Around 20,000 active iiNet landline phone numbers, plus inactive email addresses and numbers.
• Approximately 10,000 iiNet user names, street addresses and phone numbers
• And around 1700 modem set-up passwords
Reducing fallout
To TPG’s credit, the Internet service provider has been on the front-foot of the breach, taking fast action in identifying the scope of the breach and providing communication to customers about how they may have been impacted. The data breach doesn’t appear to have impacted customer data as severely as the Optus breach, where customer IDs and Medicare information had been obtained.
The combination of apparent transparency, a prompt response, and the lower level of sensitivity surrounding the data suggests that iiNet will not lose much ground in regards to brand integrity. Almost two years after the fallout from its data breach, Optus was still topping the list of Australia’s least-trusted brands.
Peak communications consumer body ACCAN issued a comment on the breach, with CEO Carol Bennett advising that “it is important that communication with customers is fast, accurate, and clear. TPG’s quick response and the information provided to customers is welcome.”
Bennett had advice for impacted customers: “Affected customers should remain alert and take steps to safeguard their personal information. Support is also available from IDCARE, Australia’s national identity and cyber support service, which can provide tailored advice to those who may be at risk.
“Australians have never been more exposed to cyber threats. The potential for harm when companies hold personal information is always present. This highlights the urgent need for stronger privacy protections, including limiting how long customer data is retained.”
TPG has confirmed that it is working with the Australian Cyber Security Centre, the National Office of Cyber Security, the Australian Signals Directorate, and the Office of the Australian Information Commissioner.
A warning against complacency
Early this week, digital security firm Semperis issued a report that found almost half of all cyber attacks are on understaffed weekends, with hackers making repeated attempts on the same businesses.
Former Prime Minister Malcolm Turnbull is an advisor for Semperis and told The Australian that it was important that businesses aren’t complacent and treat the security of their data with greater seriousness: “The government cannot protect you in this field. Australian Signals Directorate does great work and obviously, Australian Cyber Security Centre and all the government agencies are very important. But … if you have a business, responsibility for protecting it against a cyber attack is yours.
“When I was in office, I used to say to chief executives, ‘do you know who in your organisation has administrative privilege? Who is your system’s administrator or administrators? And they never generally had no idea. I said, ‘well, you don’t you think you should find out? Don’t you think you should know who’s got the keys to the castle?’ And so raising awareness is very important.
“Complacency is a real issue and the fact that Australian companies are getting attacked repeatedly indicates that they’re not taking the threat seriously enough. If you are treating ransomware attacks as a ‘cost of doing business’, all you’re going to do is encourage more ransomware attacks. So the one message I would have is that if you are a director of a business or an owner you have a duty to do everything you reasonably can to protect your company from cyber attacks.”