Tangerine Data Breach

Afternoon all

TL:DR - Tangerine were hacked and all your data is on the dark web… banking and license information was not compromised (as far as they know)

Not sure if anyone else has received this or not but thought i would share, as it seems i am one of those unlucky people. Not here to bag their Internet service as i have used them multiple time and never had any issues but figured this might be the best place to post this for people that are currently with them or are thinking about using them.

So as the title mentions, Tangerine were hacked leaking PII.
Email basically states:

We are writing to let you know that Tangerine has been impacted by a cyber incident that has resulted in the unauthorised disclosure of some of our customer data.
We are contacting you as unfortunately, we believe that some of your personal data was disclosed as a result of this incident and have launched a full investigation to determine the cause. Please note that this incident does not affect the availability or operation of our nbn® or mobile services – they continue to operate as normal and remain safe to use.

The following personal information may have been disclosed as part of this incident:

Full name
Date of Birth
Mobile number
Email address
Postal address
Tangerine account number

We can confirm that no credit or debit card numbers have been compromised, as we do not store this information. No driver’s license numbers, ID documentation details, bank account details or passwords were disclosed as a result of this incident.

It appears the unauthorised disclosure of your personal information occurred on Sunday 18 February 2024 and was first reported to Tangerine management on Tuesday 20 February 2024.

How the incident occurred.

Upon learning of the incident, we immediately began an investigation to determine how this incident occurred. This investigation is ongoing and is being treated with the utmost priority.

We know that the unauthorised disclosure relates to a legacy customer database and has been traced back to the login credentials of a single user engaged by Tangerine on a contract basis.

What Tangerine are doing.
As soon as we learnt of this incident, we took steps to prevent any unauthorised access to our data.
We have taken precautionary steps to fully revoke network and systems access for the individual user’s credentials and we have also changed all other team usernames and passwords. Access to the affected legacy database has also been closed.

We have engaged an external cyber specialist to undertake a full and thorough investigation, and we are in contact with the Australian Cyber Security Centre. We have also notified the Office of the Australian Information Commissioner of this incident.

If you still have a Tangerine account, please be assured that your account, including access to the Tangerine Self Care Portal, is secure.

When you contact our team or try to login to the Portal, we will use a one-time verification code sent to your mobile & email to validate your identity and ensure that you have sufficient authority to access the account.

The following additional protections are also available to you as a Tangerine customer:
you have the option of changing your Tangerine account number.
you have the option of setting up additional security questions on your Tangerine account, and you will need to confirm the answers to these questions when you call us to discuss or make changes to your account or services.
What you should you do.

We wanted to notify you of this incident as it could increase your risk of being exposed scam or phishing attacks - where fraudulent phone calls, SMS or emails are sent to trick individuals into revealing personal information.

There are a few things that you can do to reduce this risk:
be alert to all email communications you receive including any email that claims to come from Tangerine Telecom, or that appears suspicious in any way. If you are unsure whether an email claiming to come from us is legitimate, please contact us directly;
be suspicious of any unexpected requests for your personal information, including your financial information.
Additional ways to protect yourself online.

Setting up multi-factor authentication (MFA) on your online accounts
MFA provides you with an extra layer of protection as it involves using two or more authentication factors to verify your identity, such as information you know (e.g. your personal, account or password details) together with information you have (e.g. a unique code sent to your phone or your fingerprint). While it may be easy for a criminal to steal one form of information (like a password), it's harder for them to steal two.

Regularly change your passwords

We understand that this one is annoying, but the fact is, automated attacks rely on people using the same password for many accounts and therefore if you do not change your passwords regularly (and make it one hard to crack), you could be at risk. If you are someone who finds it hard to keep track of passwords (who isn’t these days?), you might want to consider subscribing to a password manager.

Additional resources.
In addition to the above steps to protect yourself online, here’s some additional resources to help you recognise and report scams.

ID Care – supports individuals impacted by data breaches. Find out more here.
Scamwatch – learn how to recognise, avoid and report scams here.
Australian Cyber Security Centre (ACSC) – find out more ways to protect yourself online here.
Tangerine’s Online Safety & Cyber Security page.
Tangerine’s Customer Guidance on Scam Phone Calls & SMS – find out more here.
Tangerine’s ID Authentication for Account Changes & Fraud Awareness – find out more here.

If you have any further questions or concerns about this incident, you can get in contact with our Customer Service team on 1800 936 147 or by creating a Support Case in the Self Care Portal.

You can also view our media statement here.

I apologise that this incident occurred and for any concern this has raised for you. We will continue to update you during and once our investigation has concluded.

Regards,
Andrew Branson
Chief Executive Officer

Related Stores

Tangerine Telecom
Tangerine Telecom

Comments

  • +16

    yes I got two emails from tangerine today (I only signed up to them, never connected to their service, only to be refunded later as they cannot even connect me to internet in a reasonable time)

    yet have to suffer this another data breach

    first email said they will update direct debit details, next one said ignore last email (ofc in bigger tldr way for both emails).

    tangerine should face full 100% scrutiny if they fkin leaked our banking details or direct debit details

    • +5

      yeah i got the same 2.
      I then got a notification from NordVPN saying my email address is on the darkweb through tangerine. Couldnt find anything and then this email came through.

      • +28

        why the f are they even allowed to keep our banking details after a customer leaves them (assuming no bills due/overdue)

        I hated them from very get go ngl

        • My thoughts exactly.
          Would love to know their policy on how long they keep the data and what is considered "legacy"

          • +4

            @duckdodgers245: Just read the email they sent me now

            And does say same as yours

            We can confirm that no credit or debit card numbers have been compromised, as we do not store this information. No driver’s license numbers, ID documentation details, bank account details or passwords were disclosed as a result of this incident.

            But to be honest i don't trust tangerine even 0.000001% all they say is bs imo

            • +1

              @USER DC: Bank details still show on my account that has been closed for months. Why can I evan access a canceled account

              • @Harrygw: cause bank, and government want to track all possible money laundering activities ( and government also probably want to use that for say like centrelink, and tax purposes)

              • +1

                @Harrygw: I've raised this with them as well. They still have my credit card details contained within my account I can still access even though I cancelled my services with them months ago. I've lodged a complaint with the TIO as they refuse to remove it

            • +3

              @USER DC: It's a complete lie. They do save credit card details … on the aptly same "SAVED PAYMENTS" on their portal. As a former customer I've found my credit card details still saved on there with no ability to remove. They likely were lost as part of this ridiculous breach. Their customer support team towing the company line "we don't save them", even though they then admit they are happy to now delete them.

            • @USER DC: fair point.
              I actually went into my account and checked the debit details etc. and found nothing in there.
              I'm almost certain when i left Tangerine i had deleted that information at the same time. Hate the fact my CC/DD details are there for no reason.

        • +1

          They literally said they didn't keep your banking details though? It was personal information like name, email and DOB. If those aren't already on the web though, you don't have enough accounts you're pretty lucky.

          And yes they could by lying about your banking details, but why would they do that? They've already admitted to what's been leaked. If it was to come out that financial details were also leaked, and they tried to hide it (which would be fairly easy to verify for someone with sufficient know how now that it's out there on the web) it would be even worse for them.

          At this point they would know that their best bet PR wise to get out in front of this with as much transparency as possible, unlike Optus which was an unmitigated disaster.

          • +3

            @moar bargains: Received the emails today direct debt details are still showing in the portal despite not being with them for months. Can still log on to a closed account. Think i will change my bank account details don't wont take the risk. As others have commented why are bank details kept for closed accounts.

            • +1

              @Harrygw: Financial details may be stored with a separate provider, hence not accessible in this breach, while still "saved" in your account. I do agree though that companies need to do better at removing previous customers' details when they are no longer needed.

            • @Harrygw: Same. It's a complete lie. They do save credit card details … on the aptly same "SAVED PAYMENTS" on their portal. As a former customer I've found my credit card details still saved on there with no ability to remove. They likely were lost as part of this ridiculous breach. Their customer support team towing the company line "we don't save them", even though they then admit they are happy to now delete them.

          • @moar bargains: why would a business lie? HAR HAR HAR

          • @moar bargains: Literally have saved payments details in their portal. A customer support person offered to delete my saved credit card this morning. Why lie about it? - that's a great question.

      • +1

        How did they find it so quickly? anyway to confirm if we are on the list becides email from tangerine/nordvpn?

        • +3

          They continuously (or rather, regularly) monitor the dark web for dumps like this. Or probably more accurately have a third party system that does it for them that they subscribe to.

          https://haveibeenpwned.com/ maintains a list of dumps and leaked creds, and will let you know if yours appears. Presumably it will get the Tangerine list at some point. Some password managers also have credential monitoring, e.g. Dashlane, 1Password, Bitwarden.

      • I then got a notification from NordVPN saying my email address is on the darkweb through tangerine.

        So Tangerine waited until the data was already published before alerting it's customers there had been a breach? Normally the data thieves try to extort money from the company before releasing anything so Tangerine has probably known about the breach for quite some time.

      • Hi boss I've got NordVPN too
        How do I turn on this feature you mentioned?

    • first email said they will update direct debit details, next one said ignore last email (ofc in bigger tldr way for both emails).

      I never got the first email, only the second to say ignore the last =/ (and then I got the third about the breach)

    • +2

      Yep.

      I have never had a service with them, but once made an account with the plan of signing up.

      This was 5 years ago and they still had my data.

      Live chat said something along the lines of they are required to retain a details for the life of the customer’s account, plus a further minimum period 2 years after closure.

      Not sure what constitutes life of account, but surely having no service is one of the conditions?

    • +3

      This is why I only deal with Optus.

    • +2

      They should be fined, in millions/ Maybe then they take security a bit more seriously.

  • TL.DR version?

    • +32

      A contractor that Tangerine hired had their credentials compromised. That's how the data breach occurred.

      More broadly speaking, we need an Australian equivalent of the European GDPR as soon as possible.

      It's honestly disappointing that there isn't more momentum behind something like this, especially after the much higher profile Optus data breach.

      I guess it's reflective of the average Australian's indifference to anything related to IT policy. Very keen to shit on Optus immediately after the incident, not so much on the specific policies to reduce the impact of future data breaches.

      • +2

        Just fine them for each breach, like per person. It'll be cheaper to keep things secure than let it happen twice. A million customer details at $5 is five million dollars. Though they'll probably just start covering it up instead of notifying people.

        • +2

          If a business has a million customers, $5 million is nothing and will 100% be cheaper than proper security controls. It would need to be in the tens of millions or as a significant percentage of revenue/profit.

          • @Gina Rinehart: Yeah I guess if a real estate trust with 30 clients breached all personal data it wouldn't cost them much to pay the fine.

    • updated

    • +2

      Full name
      Date of Birth
      Mobile number
      Email address
      Postal address
      Tangerine account number

      Linked to current and past and never connected users have been breached and leaked

      I was in past dumb enough to give them my main info.
      Moving forward i think we should just fkin use fake names, fake emails, fake numbers, po box postal address, one time use cards

      • How you going to give them a fake address for an NBN service? Agree with the rest though.

        I left them months ago, time to go through all my old accounts and obfuscate the details.

        • +2

          it is fake postal address (not connection address) postal address can be parcel collect/PO box etc too

      • +3

        I just accept my data is out there. And I've had the same phone number long enough that I trust 99% of unknown numbers are scam calls now.

  • +18

    FFS, why does the law force these idiots to keep our details beyond the initial signup/ ID validation step?

    • +8

      They need all that info for marketing purposes.

      • Haha some dummies negging you. Obvious sarcasm is obvious.

    • -2

      because government wants too hack (see without any difficulty) into our data also

      but I see zero reason at all as to why the F they need to keep other type of our information once our realtionship with them as customer and service provider is over

      • I too would prefer they didn't keep all this info, but in their defence, they sometimes need this information to verify identity of account holders. There are plenty of people out there who wouldn't be able to simply remember (or safely store) their account number and a password, and ring up and need to be verified via Name, address, DOB, and mobile number.

        An alternative to having individual providers store and retain all this information is to have one centralised (government) identity provider for online services with an API that providers can use. However that leads to other problems, not least of which is your first point. But the government already has all this information, it just may not be all in the same place…

        • +2

          they do not need any of this information at all once relationship is ended tho, (once all bills been paid etc).

          they may need it for time their is an existing and ongoing relationship, to which i think okay understandable.

          • +3

            @USER DC: They are literally legally mandated to keep it for at least 2 years though. And what's happened here is what industry experts said would happen when these laws were passed.

            That said, I think there are plenty of cases of companies being slack, and not scrubbing it after 2 years.

            • @moar bargains: ofc yeah governement is the one i'd say we should blame first most because it has done so little (other than some mediocre press conferences, and some ever so tiny increased in legislated punshiments than are never really used).

      • +1

        Why would the government hack into a telco to get our License/Passport/Medicare that they issue…

        • -7

          hack (no they just get direct access, they dont normally hack, although they can by hiring experts), regardless they probably may want to incase they want to link you to some digital identity. (say copyright breaches, wikileaks like scenario, money laundering, child pornography, drugs traffic, stalking etc. etc. cannot list all reasons here)

          • +3

            @USER DC: You realise the government issues our ID cards right?

    • +1

      Reason why below:

      Federal data retention obligations:

      https://www.homeaffairs.gov.au/about-us/our-portfolios/natio…

    • They want their buddies to set up a system like the EU has, where people and individuals are fined by a privacy commission when leaks happen. i think the commission is self funding from the fines https://www.enforcementtracker.com/

    • +1

      Well technically they don't need to store it online, they could have it offline accessible by one team in the organisation, they just keep it in an online database for convenience.

  • -7

    all your data belongs to the dark web…

    No… It doesn't 'belong' to it.

  • +7

    First email (roughly 5am) I haven't dealt with Tangerine in years:

    We have identified a system error that meant your most recent direct debit was not processed on the scheduled due date.
    To get your account back up to date, we will be attempting to process your direct debit again today.
    As this was our error, please be assured that we will be waiving any late fees or bounce fees that you may incur as a result of this error.
    We’re sorry for this error and we are rectifying it to ensure future direct debits are processed on the correct due date.

    Second email (roughly 9am):

    We sent you an email last night advising that your direct debit payment was missed due to a system error and that we would be reattempting payment. Please disregard this email as it was sent to you in error.
    Please be assured that there have been no changes to your account, nor has any direct debit payments been attempted on your account.
    We made some system changes, and this unfortunately resulted in some customers receiving this email in error.
    We sincerely apologise for any confusion or inconvenience this may have caused.

    Then the latest email about the breach. After the first email, I was suspicious of some kind of breach/phishing attempt, but the email was legitimately from Tangerine, and didn't have any contact method that wasn't legitimate. But then it turned out to be a breach anyways? Wonder how this all played out; whether the first email was because of the breach, or while troubleshooting the first email, they actually looked at file logs and saw the unauthorised access.

    • I feel as though that initial email was a result of this, perhaps something triggered the email to be sent off:
      We have taken precautionary steps to fully revoke network and systems access for the individual user’s credentials and we have also changed all other team usernames and passwords. Access to the affected legacy database has also been closed.

  • Confirmed

  • +1

    The Cyber Security link on their help page returns a 404 Not Found, which says everything really…

  • +3

    Most secure Australian data:

  • At least credit card information not handed over.

    I thought something was wrong when they sent an email regarding direct debit issues given I haven't been with them for a whole year.

    • -1

      you can almost never be sure of that. This company is a bunch of lies. And may be government also wants to have less information published so as to keep faith in government and not have a public confiedence plummet to zero (or negative as they should after so so many leaks, starting of with Shopback 2019, then hacktus, medibank 2022, and so so many more)

      point is that this company is ofc motivated in disclosing as less information as possible (probably more like motivated to hide any possible information that has been breached).

      and government is kinda same too ( the more they hide more they can pretend everything is okay and BS).

      The fact of the matter is government is doing nothing, it should be forcing companies to delete data (once relationship is over).

      Companies are always motivated to keep costs low, have zero to little tech knowledge, and only give f about money they are getting everything else according to them can f of.

    • +4

      Wrong attitude.
      Your Credit Card number can be changed and costs are covered. You might have a bit of a headache for a few weeks. It's the least important info.

      The leaked data cannot be changed, can subsequently be used to steal your identity and none of the costs are covered. This nightmare could extend for months or even years!

      • -2

        But most the details about they could have got from Facebook already.

        Except for your address but then only a problem if you never intend to move or have stuff they can steal.

    • +1

      It's a complete lie. They do save credit card details … on the aptly same "SAVED PAYMENTS" on their portal. As a former customer I've found my credit card details still saved on there with no ability to remove. They likely were lost as part of this ridiculous breach. Their customer support team towing the company line "we don't save them", even though they then admit they are happy to now delete them.

  • +1

    Not even anything on the homepage. At least Optus had the decency (somewhat) to front up and put it smack bang on their homepage saying they were breached.

    These guys (profanity) up my Internet earlier last year, and I went a week without service because their hopeless support staff refused to fix it even when I gave them clear instructions on what they needed to do. Now this?

    I'm curious if More was affected as well, since it's the same company (and from what I understand, accounts are all in the same system).

  • Was only with them in January 2023 due to a good deal and left within a week due to poor speeds.

    Received the email early this morning claiming that they had not properly debited my account/would do this today. I was suss on the legitimacy of the email though the links ended up going to their legit website. Not completely surprised by this data breach email.

  • +5

    Got about 10 emails from them as my Gmail autoforwards to my Hotmail and I used both to be a 'new customer'. My data's been breached so many times it doesn't even phase me anymore 😂

    • +3

      IKR. Another day, another breach. If someone was targeting me, I'm pretty sure anything leaked is already out there.

      • +3

        My outlook has been hammered by people all over the world trying to login. A few days ago I got blocked from my mail because it said too many access attempts, I got on the security page and over 2 days, the list was so long I had to load 2-3 times. So annoying how I can't do anything about it

        • Damn, that sucks. Would be good if you could set up some sort of fail2ban like thing.

          Got MFA turned on?

          • +1

            @moar bargains: Yup, they were all unsuccessful. And for some reason my IP is showing as all the way in Sydney but I'm in WA so that usually throws me for a bit to see 'successful sign in' for that one

            • @MeesusEff: Haha yeah, that's always good.

              "MeesusEff did you just try to login from Manly?"

        • +1

          I noticed a large number of failed logon attempts from all over the world on my outlook account as well. I logged in and changed the primary logon email to a different alias (old email still remains active as a secondary alias) which stopped the failed logon attempts in their tracks.

          • @QuicheLorraine: Oh! I gotta look into that, thanks :)

            Has your outlook also gone funny with emails? I can't open links from junk anymore, even though I've turned the settings off. And sometimes actual important mail just goes straight to deleted, like my husband's and dad's email. Definitely no auto rule but I can't find anything online about why it's happening

  • +7

    Jokes on them. My details are already on the darkweb.

    • +5

      probably true if you have ever at any time given any information to any australian company

    • Yep.
      First Optus, Then Medibank, Then Latitude, then MFB.
      I was thinking of signing up with these guys and figured what do I have to lose. hahahaha

  • +2

    Still nothing on the Tangerine website, but other sites are now starting to report it.
    Andrew Branson will be wiping that smug smile off his face when he gets hauled into the OAIC. just looking at some of the statements they have made, they have clearly breached Australian Privacy Principles. Due to recent legislated changes, fines can now be up to $50 million

  • +1

    (profanity) hell

  • Merged from Tangerine Telecom Disclosing Personal info

    How many times can a company fk up in a day?

    I received an email from tangerine that a direct debit failed even though I cancelled a couple of months ago.

    Worse was to come when they sent me another email saying my personal info had been disclosed wtf.

    Curious to see how wide spread this is as I know many on ozb churn internet plans and tangerine probably one of the providers.

    How shit are the IT departments in Aus?

      • Tangerine Telecom Disclosing Personal info?
      • How many times can a company fk up in a day?
      • How shit are the IT departments in Aus?

      Which question? None of them fit with a Yes/No response.

  • The TL:DR mentions that the data is on the dark web. Is this a guess or is it actually there? Does anyone know which dark web site it's on?

    • Not confirmed. more of a assumption. I mean where else would that data go?

      • Maybe we should just buy our own data from the Dark Web that way its no longer for sale?

        • +1

          Don't think thats how it works. I believe the data would be in multiple places by now, after someone buying it all and then reselling it and so forth and so forth.

        • +1

          yeah because a criminal is going to do the right thing and delete it after you buy it and would never then onsell it to others.

    • +3

      Previous comments mentioned that NordVPN flagged their data on the dark web due to this breach today.

    • OP got a notification from NordVPN. It's there.

      • Does anyone know which site NordVPN found it on? I'd like to double check for sure in my More Telecom details got on it or not.

  • +1

    Anyone with More telecom impacted?
    Considering More telecom is just a wrapper on top of Tangerine telecom

    • Yes, same breach.

  • Hmm, was wondering why I was getting emails from them when I haven't been with them for 8 months.

  • I was a Tangerine customer between Sept and Dec last year (I churned after a few months because of intermittent dropouts) and I didn't get any emails from Tangerine today. Have we established whether the breach affected only a subset of Tangerine customers?

    EDIT: Nevermind, I answered my own question. It's in their Media Statement:

    Approximately, 232,000 current or former Tangerine customer accounts are impacted dating from June 2019 to July 2023. All impacted customers have been notified by email on Wednesday 21 February 2024.

    Makes sense why I wasn't notified.

    • Don't feel left out, your details will be published on the darkweb after next months data breach.
      /S
      Or am I being serious?

    • +1

      I’m very curious to see whether my details turn up on the dark web. I was definitely a customer to June 23, but after such a rubbish experience and a well earned distrust of them, I took one extra precaution when closing my account. Before doing so I changed my email and every other detail their webform would permit to fictitious nonsense.

      Poor [email protected] is now likely very confused that he is being told his his pii is on the darkweb ;)

Login or Join to leave a comment