Australian ISP iiNet has confirmed a cybersecurity breach in its order management system, compromising sensitive customer information and underscoring the growing vulnerability of digital infrastructure providers.
In a statement issued on 19 August, the company revealed it had confirmed the breach internally on 16 August after detecting unusual activity. The compromised system is used to create and track service orders, including National Broadband Network (NBN) connections, making it a critical operational hub.
According to iiNet’s forensic team, the attackers accessed:
- ~280,000 active iiNet email addresses
- ~20,000 landline phone numbers
- ~10,000 usernames, street addresses, and phone numbers
- ~1,700 modem set-up passwords
The company clarified that no passports, driver’s licences, banking, or credit card details were stored in the system, reducing—but not eliminating—the risk to customers. Importantly, former customers were also impacted since iiNet retains some customer records to meet legal and regulatory requirements.
Following the confirmation, iiNet triggered its incident response plan, engaging external cybersecurity specialists while coordinating with the Australian Cyber Security Centre (ACSC), the National Office of Cyber Security (NOCS), and the Office of the Australian Information Commissioner (OAIC).
The ISP has begun directly notifying affected customers, offering apologies, support, and advice to mitigate potential risks.
This incident adds iiNet to the growing list of Australian organisations hit by high-profile cyber events in recent years, highlighting the escalating cyber threat landscape facing critical communications providers. With sensitive email and phone data now exposed, experts warn of a heightened risk of phishing campaigns and social engineering attacks targeting customers.
For iiNet, the breach is more than an operational setback—it is a test of trust. As Australia continues its push for digital transformation, the incident highlights how telcos and ISPs must strengthen their resilience against evolving cyber threats.