Over 30,000 Westnet Internet Service Provider (ISP) customers have been urged to change their passwords after the company reported a hacker allegedly gained access to the customer database of their iiNet-owned internet service provider.
In a tweet from a Sydney-based information security writer, Cyber War News, the group posted a screenshot of a hacker known under his online alias, Mufasa, claiming to have a cache of the sensitive iiNet information, touting the database includes customer details and unencrypted plaintext passwords of more than 30,000 Westnet iiNet customers.
seems westnet, one of aussies biggest ISP's has been owned. pic.twitter.com/kYYYjIMJnL
— CWN (@Cyber_War_News) June 6, 2015
“I am selling the db of a major ISP in Australia,” the screenshot reads. “There is a sh[*]tton of data inside this database to where I haven’t even bothered to dump the whole thing but there is a lot of valuable data inside like a cleartext passwords etc.”
The Western Australia-based internet service provider, iiNet, confirmed that customer information was compromised in the breach, adding that street addresses and telephone numbers may have been stolen as well. The hacker is now offering to sell or trade the database of iiNet customers.
iiNet has said the company is moving urgently to mitigate the attack, turning affected systems offline to begin investigation and monitoring for impacted accounts.
“iiNet is aware of an incident that may have resulted in unauthorised access to old customer information stored on a legacy Westnet system,” said iiNet Chief Information officer, Matthew Toohey, speaking on the breach. “The incident has been reported to relevant law enforcement agencies and is currently under investigation.”
On the positive side, an iiNet spokesperson has assured affected customers that “no payment details were stored on the server,” but has warned that “customer username, address, telephone and, in some cases, password information may have been accessed” by the hackers.
iiNet is currently in the process of contacting some 30,827 customers who were impacted by the breach, urging users to change their passwords on Westnet accounts.
“The system is now offline and at no further risk,” Toohey added. “iiNet takes the privacy and security of customer information extremely seriously and is heavily invested in the proactive monitoring of its infrastructure to ensure the risk of such intrusions is minimised. As precaution, additional steps have been taken to increase the monitoring of impacted accounts.”
iiNet has moved swiftly to mitigate the hacking claims, though, Australia does not have any laws in place requiring companies to disclose data breaches to law enforcement or customers under any circumstance. Meaning customer information could have been leaked on the web exposing thousands of customer passwords months before the company became aware.
However, Toohey said the Westnet hack has been reported to relevant law enforcement agencies who are currently investigating the iiNet breach.