TPG’s iiNet unit has announced a major cyber breach- underscored the escalating cyber risks facing Australian organisations, with insurers tightening cover requirements and boards facing mounting pressure to treat security as a frontline governance issue.
TPG confirmed that hackers exploited stolen employee credentials to access iiNet’s order management system, exposing about 280,000 active email addresses, 20,000 landline numbers, and a further trove of customer information including usernames, addresses, and modem setup passwords. The telco said no financial or identity documents were compromised, but it has begun contacting affected customers and set up a dedicated hotline.
Chief executive Iñaki Berroeta apologised to customers and said external experts and government agencies, including the Australian Cyber Security Centre and the Office of the Australian Information Commissioner, had been engaged. “We are continuing our investigations to ensure we understand all details surrounding this incident,” he said.
The breach follows similar high-profile attacks on Qantas and Medibank, and comes as former prime minister Malcolm Turnbull again criticised the corporate response to ransomware and data theft. He warned that too many leaders were “treating ransomware attacks as just a cost of doing business,” a stance he described as an abdication of directors’ duties.
For the insurance sector, the iiNet incident highlights a trend already influencing underwriting across Australia and New Zealand. According to Arctic Wolf’s 2025 Cyber Insurance Report, companies in the region are required to meet at least six security controls before qualifying for cover — higher than the global average. Email security and identity management rank among the most common minimum conditions, and many underwriters now require evidence of 24/7 monitoring or managed detection and response.
Steve Hunter, Arctic Wolf’s ANZ engineering director, said the Optus and Medibank breaches had reshaped local underwriting practice. “Insurance is no longer a financial safety net – it’s a test of cyber readiness and business resilience,” he said.
For brokers and carriers, iiNet’s breach provides another data point in a shifting risk environment. Claims data already show ransomware and data exfiltration as the leading triggers for payouts. Yet, with exclusions tightening and premiums continuing to rise, policyholders face the risk of denied claims if governance and security standards are not met in full.
The volume of breaches is also feeding into board-level risk assessments. The privacy regulator recorded more than 1,100 incidents in the second half of 2024, up 25 per cent year-on-year. Analysts say that trend will keep upward pressure on premiums and force boards to demonstrate active oversight of cyber resilience.
While iiNet has stressed that banking and identity records were not compromised, the scale of the breach will nonetheless be costly. Insurers and risk managers warn that secondary effects — from phishing attacks using stolen email addresses to the expense of customer remediation — can be as damaging as the initial breach.
For insurers professionals, the message is clear: cyber governance and workforce preparedness are converging issues. Breaches increasingly stem from compromised employee credentials, highlighting the need for stronger identity protections, training, and cultural change. In the words of Turnbull to The Australian, “cyber security isn’t an IT problem, it’s an executive failure.”
