Perth-based internet provider iiNet has told more than 30,000 of its Westnet clients to change their passwords after threats of a security breach to its customer database surfaced on social media.
On Sunday, Twitter user @Cyber_War_News shared a post by a hacker that claimed to be selling “a lot of valuable data” such a “cleartext passwords etc.” from “a major ISP in Australia”.
iiNet, which took over Western Australian ISP Westnet in 2008, has confirmed it is investigating the incident and has contacted the 30,827 affected customers with a recommendation to change their password.
“iiNet is aware of an incident that may have resulted in unauthorised access to old customer information stored on a legacy Westnet system,” said iiNet in a statement provided to SmartCompany.
“The incident has been reported to relevant law enforcement agencies and is currently under investigation.”
The usernames, addresses, telephone numbers and password information of Westnet customers may all have been compromised, according to the statement. However, the internet provider said no payment details were stored on the server and the system is now offline and at no further risk.
“iNet takes the privacy and security of customer information extremely seriously and is heavily invested in the proactive monitoring of its infrastructure to ensure the risk of such intrusions is minimised,” said the ISP.
“As precaution, additional steps have been taken to increase the monitoring of impacted accounts.”
Customers have since lashed out at iiNet and the lack of timely information provided on the potential breach on social media.
“Hey iinet… You, a tech company, allowed 30,000 Customers passwords to be leaked,” said Facebook user Mark Paynter.
“I hope you didn’t save them in the clear, but as salted and hashed. And why haven’t I, and I presume all other customers, been warned to change our passwords for router login. And they want companies like yours to hold all our metadata… geeze.”
But AVG security advisor Michael McKinnon told SmartCompany iiNet has found itself in “a tricky situation”, given it can’t say too much to customers before it has undertaken a proper investigation.
“The goal at first is trying to determine the validity of the threat and what actually occurred. Then trying to corral the necessary resources, for example law enforcement,” McKinnon says.
“The blog post [explaining exactly what happened] will need to follow after that process. It can add fuel to fire if they post a blog too early.”
McKinnon says the move to tell customers to change their passwords is a common temporary solution that many companies take at the early stage of a threat.
“Even if the hack hasn’t been confirmed, a lot of companies do this as a proactive measure in the early stages of an investigation, so if they discover down the track there was a compromise, at least they’ve given customers the opportunity to protect themselves as quickly as possible.”
McKinnon says the dilemma for a company is anyone can claim they have hacked a database in order cause irreparable damage to a business’ reputation.
“The sad part is the reputational damage can come from that first news story people read about a compromise and possible breach. Even if it’s found out not to be true down the track, customers remember that story. It’s very hard to gain back ground after that.”