iiNet has revealed hundreds of thousands of customers' details have been exposed in the hack
A cyberattack on TPG’s iiNet division has compromised the details of about 280,000 customers, the company has revealed.
TPG has revealed that hackers used stolen staff credentials to infiltrate iiNet’s order management system. The breach has exposed large volumes of customer data, including email addresses, phone numbers, and modem passwords, though the telco confirmed that no banking or identity documents were taken.
The breach, which the company detected on August 16 my again highlights how employee practices and organisational culture can determine the success or failure of security systems.
TPG Telecom chief executive officer, Inaki Berroeta said the company was contacting affected customers and working with government agencies and cyber experts. “We are continuing our investigations to ensure we understand all details surrounding this incident,” he said.
"Early investigations suggest the unauthorised access was gained using stolen account credentials from one employee," he said.
“We unreservedly apologise to the iiNet customers impacted by this incident,”he said.
Berroeta said no credit, banking or financial information had been compromised or driver’s license numbers, ID documentation details, or bank account details.
"While our investigation is ongoing, at this time it appears a list of email addresses and phone numbers was extracted from the iiNet system. The list contained around 280,000 active iiNet email addresses and around 20,000 active iiNet landline phone numbers, plus inactive email addresses and numbers. In addition, around 10,000 iiNet user names, street addresses and phone numbers and around 1,700 modem set-up passwords, appear to have been accessed," Berroeta said in a statement.
Lessons for HR leaders
For HR leaders, the breach carries an important reminder: human behaviour remains one of the most frequent entry point for cyber incidents. While technical safeguards are essential, stolen credentials, phishing, and social engineering continue to account for many of the major breaches now hitting Australian organisations.
News of the iiNet breach comes just one day after former prime minister Malcolm Turnbull, who has long warned about complacency in corporate Australia, said executives and directors were still failing to treat cyber risk as a core leadership responsibility.
"The government cannot protect you in this field," Turnbull said in the The Australian.
" Australian Signals Directorate does great work and obviously, Australian Cyber Security Centre and all the government agencies are very important. But … if you have a business, responsibility for protecting it against a cyber attack is yours."
His warning resonates not just in the boardroom but across HR teams charged with embedding awareness and resilience into the workforce.
The incident has landed in a broader climate of rising cyberattacks, from Qantas to Medibank and universities. Each has shown that breaches extend far beyond IT departments, affecting customer trust, and brand reputation.
Workforce considerations are increasingly central to cyber resilience. Employees often need rapid retraining after a breach, while HR teams must manage both internal communication and the heightened stress that accompanies such events. In some organisations, breaches have triggered large-scale resets of staff logins, mandatory training programs, and policy overhauls that fall squarely within HR’s remit.
The iiNet case also underscores the importance of recruitment and retention in cyber capability. External reports have noted that insurers and regulators are lifting the bar on security standards, requiring minimum controls such as identity management and email security.
Organisations without sufficient in-house expertise risk not only financial exposure but also reputational damage. HR leaders therefore play a role in ensuring that skilled cyber talent is attracted and retained, while general employees are equipped with the knowledge to identify and report suspicious activity.
Ultimately, the iiNet breach is a reminder that cyber risk is a people issue as much as a technology issue. For HR professionals, the challenge is to build a culture where awareness, accountability, and resilience are part of daily working life. As Turnbull noted, “cyber security isn’t an IT problem, it’s an executive failure.” For many HR teams, that message translates into a direct call to action.
