The industry reacts: The iiNet data breach, and what it means for Australian businesses

It’s the latest in a damningly long line of Australian companies failing to apply even the most basic security measures. Here’s what industry leaders and insiders have to say.

Rich Atkinson
Executive director, technology, at Airteam

TPG, Telstra, and Tangerine Telecom have all suffered credential-based breaches, proving this attack vector continues to succeed despite industry awareness.

When the same credential-based attack method works repeatedly against major telecommunications providers, we’re not dealing with sophisticated new threats but fundamental authentication weaknesses. Australian enterprises are failing to implement systems that assume credentials will be compromised and protect accordingly.

This pattern shows that reactive security measures cannot address the core problem. Australian businesses need security-by-design approaches that anticipate credential compromise rather than simply responding to it.

VIEW ALL

Tony Jarvis
Field CISO and VP APJ at Darktrace

iiNet is the latest Australian critical infrastructure operator to be breached via a third-party using compromised employee access credentials likely purchased off the dark web.

Credentials-based attacks are not new, nor are they particularly sophisticated. And while insidious and pervasive, they are preventable. Enterprise cyber security 101 says access credentials must be routinely updated with strong, unique passwords and MFA enabled.

Australian organisations must heed these third-party attacks as a call to action. Cyber criminals are using AI to automate attacks, and only AI-augmented cyber security can defend against it. Investing in stronger visibility over, and insights into, third-party providers’ cyber posture must be a business priority.

Tyler McGee
Head of APAC at McAfee

The iiNet data breach underscores the persistent and evolving nature of cyber threats facing Australia. From healthcare and finance to retail and tech, attackers are constantly looking for weak spots to exploit, knowing how valuable this consumer data is.

Cyber criminals will take this treasure trove of sensitive information and use to impersonate people and commit fraud with stolen identities, or they will package up and sell personal data on the dark web to the highest bidder, all of this results in consumers needing to be more cautious about who has access to their data and the proactive steps people can take to identify and stop scams, identity theft, and other online threats.

Marijus Briedis
Chief technology officer at NordVPN

The breach shows how one compromised employee account can expose hundreds of thousands of customers. Cyber security often isn’t just about firewalls but more about people. Companies must treat employee security training as seriously as their technical defences. When attackers can walk through the front door with stolen credentials, all your other security measures become irrelevant.

Three days between discovery and disclosure might not sound like much, but in cyber security terms, scammers have plenty of time to start targeting victims. The faster customers know about a breach, the faster they can protect themselves. Transparency allows people to secure their accounts before the bad actors strike.

If you’re an iiNet customer, don’t wait for their email – act now. Change your iiNet password, and if you’ve reused that password anywhere else, change those too. Enable two-factor authentication on your important accounts. Be ready for scammers to come with compelling emails. When in doubt, reach out to iiNet through official channels.

Those 1,700 modem passwords are the real concern here. If attackers can access a home or business router, they can intercept sensitive communications, redirect traffic to malicious sites, or use your network as a launching pad for other attacks. Contact iiNet about changing your router password immediately, and make sure your firmware is up to date.

iiNet’s system only contained limited information, preventing a worse outcome. Every business should ask: what data do we need to keep, and for how long? The less sensitive information you store, the less damage a breach can cause. It’s good business sense.

Kash Sharma
Managing director, ANZ, at BlueVoyant

Australia is facing a wave of reported third-party breaches, from Optus, Medibank, Qantas, and now iiNet, highlighting systemic vulnerabilities in vendor ecosystems. The cyber attack on iiNet, Australia’s third-largest internet provider, has reportedly exposed sensitive details from 280,000 customers, including emails, phone numbers, usernames, addresses, and modem setup passwords. Attackers are said to have gained access through iiNet’s order management system, once again showing how third-party systems can become the weak link in a supply chain.

While the Australian government has strengthened its national cyber defence posture in recent years, service providers remain prime targets due to the sheer volume of personal information they manage. This breach highlights how even seemingly peripheral vendor systems can hold valuable data that criminals can leverage.

For affected customers, the advice is clear: stay vigilant against suspicious emails, texts, or calls claiming to be from iiNet or related services, avoid clicking on links or downloading attachments from unknown sources, and update modem setup passwords if notified by iiNet.

For businesses, the lesson is broader. Vendor risk can’t be treated as a compliance exercise. Organisations must identify every third party with access to their systems, restrict privileges to only what’s necessary, and continuously monitor for vulnerabilities. Proactive collaboration with vendors, rapid remediation when issues arise, and transparent communication with stakeholders are necessary.

The iiNet incident reinforces a wider pattern we’re seeing across Australia: attackers increasingly target service providers and their vendors as an easier pathway into sensitive data. Protecting Australian businesses requires visibility, vigilance, and a culture where supply chain defence is viewed as a strategic priority across leadership, not just an IT concern.