Australian internet provider iiNet has confirmed a cyberattack that compromised the personal details of hundreds of thousands of customers after an unknown third party accessed its order management system. Parent company TPG said early investigations suggest the breach occurred when attackers used stolen account credentials from an employee.

According to the company, around 280,000 active email addresses and about 20,000 active landline numbers were extracted, along with approximately 10,000 usernames, street addresses, and phone numbers. In addition, about 1,700 modem setup passwords were also accessed. Historical customer records were included, meaning even former customers may have been affected.

TPG said in a statement to the Australian Securities Exchange, “We unreservedly apologise to our iiNet customers impacted by this incident. We will be taking immediate steps to contact impacted iiNet customers, advise them of any actions they should take, and offer our assistance.” The company added that it would also reach out to non-impacted customers to confirm that their accounts are safe.

The compromised system is used to create and track iiNet orders, such as broadband connections. Importantly, iiNet said it does not store copies of ID documents or financial information in that system, noting that “no credit cards, banking details, or customer ID documents such as passports or driver’s licences were exposed.”

The incident was confirmed on August 16, but customers were not notified until August 19. In response, iiNet enacted its incident response plan, engaged external cybersecurity experts, and liaised with the Australian Cyber Security Centre, the National Office of Cyber Security, and the Office of the Australian Information Commissioner. The company also obtained an interim injunction to prevent any impacted data from being published or used by third parties.

A dedicated hotline has been established for concerned customers, and the company is urging vigilance against scams. “Be alert to any unusual communications claiming to be from iiNet,” the telco advised, warning that phishing emails and scam calls may attempt to exploit the heightened awareness around the breach.