More than 30,000 Westnet internet users have been advised to change their passwords after a hacker claimed to have gained access to the customer database of the iiNet-owned ISP.
In an online posting, picked up by Sydney-based infosec writer Cyber War News, a hacker going by the name Mufasa claimed to have a cache of "valuable data," including customer details and unencrypted plaintext passwords.
A statement from iiNet indicates that the compromised information could also include addresses and telephone numbers. The hacker is now offering to "sell or trade" this data.
seems westnet, one of aussies biggest ISP's has been owned. pic.twitter.com/kYYYjIMJnL— CWN (@Cyber_War_News) June 6, 2015
Based out of Western Australia, Westnet has been a subsidiary of iiNet since 2008. iiNet is now moving to minimise the fallout of the alleged hack, bringing the affected system offline and monitoring "impacted" accounts.
"iiNet is aware of an incident that may have resulted in unauthorised access to old customer information stored on a legacy Westnet system," said iiNet Chief Information Officer Matthew Toohey in an email statement to CNET.
"The incident has been reported to relevant law enforcement agencies and is currently under investigation."
While iiNet asserts that "no payment details were stored on the server," it has warned that "customer username, address, telephone and, in some cases, password information may have been accessed."
As a result, iiNet says it has contacted 30,827 "impacted customers" recommending they change passwords associated with their Westnet accounts, saying this is "the most effective way to ensure security."
"The system is now offline and at no further risk," Toohey continued. "As precaution, additional steps have been taken to increase the monitoring of impacted accounts."
While iiNet has moved swiftly to act on the hacking claims, Australia currently does not have laws requiring companies to disclose data breaches to authorities or customers, meaning customer details or passwords shared across accounts can be exposed for long periods before those customers become aware.
CNET has requested further comment from iiNet, including details on whether Westnet stored customer passwords in plaintext.