Tangerine Telecom Data Breach 2024:
What You Need to Know
Approximately 232,000 Tangerine Telecom customer records were exposed in February 2024 after an attacker used a third-party contractor's old credentials to access a system containing customer data. Here is what happened, what was leaked, and steps you can take to protect yourself.
Your personal risk from this breach
Sign in or create a free account to see your personalised risk score.
What Happened
How the Tangerine Breach Unfolded
Late 2023
A contractor's legacy login credentials remained active on Tangerine systems despite the contractor leaving the engagement in mid-2023. Dormant accounts of this kind are a recurring weak point flagged by the OAIC in notifiable breach reports.
January 2024
An attacker used the dormant contractor credentials to access a Tangerine staging/test environment that contained copies of customer records. Test environments often hold real production data without the same hardening as live systems.
18 February 2024
Tangerine confirmed the breach publicly, notified the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme, and began emailing affected customers.
Not sure if you received this notification? Affected customers received an email referencing a "Tangerine Telecom data security incident" with details of what data was exposed.
Late February to March 2024
Tangerine rotated credentials, removed legacy contractor accounts, and engaged forensic specialists to confirm the scope of the intrusion. The carrier said no further unauthorised access had been detected following the remediation work.
What Was Exposed
Personal Data Leaked in the Breach
The exposed dataset combined identity-verification fields commonly used by banks and telecommunications carriers to confirm who you are over the phone. That makes the data particularly useful for identity-fraud and SIM-swap attempts.
| Data Type | Risk Level | Who Was Affected |
|---|---|---|
| Full name | High | All approximately 232,000 affected customers |
| Date of birth | High | All approximately 232,000 affected customers |
| Mobile number | High | All approximately 232,000 affected customers |
| Email address | High | All approximately 232,000 affected customers |
| Postal address | High | All approximately 232,000 affected customers |
| Tangerine account number | Medium | All approximately 232,000 affected customers |
Risk levels based on the OAIC: What is personal information? and OAIC Australian Privacy Principles. Identity-linked data (name, date of birth, address, mobile number) is rated higher because the combination is commonly used to verify identity at banks and telcos.
✅ Confirmed NOT Exposed
Tangerine confirmed that customer passwords were not in the exposed dataset. Payment-card details and bank-account numbers are processed by a third-party payment processor under PCI-DSS scope and were not affected. SIM and IMSI data were not in scope for this incident.
Company Response
What Tangerine Did
“We sincerely apologise to affected customers. The security of customer information is something we take extremely seriously.”
Actions Taken by Tangerine
- Disabled the compromised contractor credentials
- Notified the OAIC under the Notifiable Data Breaches scheme
- Rotated credentials and removed legacy contractor and staff accounts
- Engaged forensic specialists to confirm the scope of the intrusion
- Began emailing affected current and former customers with details of what data had been exposed
- Referred concerned customers to IDCare for free identity-support guidance
- Committed to improving access management and removal of unused accounts
What Now?
Steps You Can Take After the Tangerine Breach
Even though no passwords or payment data were exposed, the combination of name date of birth mobile number email and address is exactly what is used to verify identity at banks and telcos. That makes SIM-swap and identity-verification fraud the main risks to plan for. Here are general best-practice steps, organised by the types of accounts most commonly affected.
Tangerine and Telco Accounts
Your mobile service is the gateway to SMS-based MFA. Securing it limits SIM-swap risk.
Reset your Tangerine portal password and enable MFA
~5 minSet a port-out PIN with Tangerine
~10 minReview billing and request itemised call records
Email and Digital Identity
Your email is the key to your digital identity. Securing it is a sensible first step.
Strengthen email security
~5 minMove high-value MFA off SMS where possible
Understand your full account exposure
Identity Protection
Name + date of birth + address + phone is the standard kit used to verify identity at banks.
Consider a credit ban (recommended for AU residents)
~20 minBe cautious of identity-verification phone calls
Monitoring and Reporting
Australian resources for breach response, telco complaints, and identity protection.
Stay alert for targeted phishing
Contact IDCare, Scamwatch, or ACMA
Not sure which of your accounts are affected?
In The Event Of discovers your accounts automatically and alerts you in real time when new breaches affect your data.
Are You Still at Risk?
The Hidden Danger: Compound Breach Exposure
The Tangerine breach did not happen in isolation. If your data also appeared in other major Australian telco or healthcare breaches, the combination of leaked information can build a more complete identity profile.
How breach data compounds
On its own, the Tangerine breach exposed names, dates of birth, addresses, mobile numbers, and emails. But if your email also appeared in the Optus or Medibank breaches, the combined data set may include identity documents, Medicare details, and health records. This kind of compound exposure significantly increases the risk of identity fraud and SIM-swap attacks.
- Optus (2022)9.8M telco records - passport, licence, Medicare numbers
- iiNet (2025)200K ISP records - account and contact details
- Telstra (2022)Historical employee and customer exposure
- Medibank (2022)9.7M records - increases phishing risk for the same demographic
If your email appears in two or more of these breaches, your risk level is significantly elevated. In The Event Of can overlay your breach data to show exactly where your exposure compounds, and help you prioritise what to address first.
Frequently Asked Questions
Tangerine Breach FAQ
Sources
- Have I Been Pwned: Tangerine breach entry
- Tangerine Telecom (official site)
- OAIC: Notifiable Data Breaches scheme
- Australian Communications and Media Authority (ACMA)
- IDCare: National identity and cyber support service
- OAIC: What is personal information? (Privacy Act 1988 categories)
- OAIC: Australian Privacy Principles
Other Major Australian Data Breaches
Data from multiple breaches can be combined to increase identity fraud risk. Review these guides to understand your full exposure.
NYC Health + Hospitals Data Breach 2026
~1.8M records exposed
Australian Courts Data Breach 2026
Thousands of files records exposed
youX Data Breach 2026
~444K records exposed
Prosura Data Breach 2026
300K-500K records exposed
Canvas (Instructure) Data Breach 2026
~275M (claimed) records exposed
Booking.com Data Breach 2026
Undisclosed records exposed
McGraw Hill Data Breach 2026
13.5M records exposed
Crunchyroll Data Breach 2026
Undisclosed records exposed
Eurail Data Breach 2026
300K+ records exposed
Basic-Fit Data Breach 2026
1M records exposed
Under Armour Data Breach 2025
72M records exposed
Salesforce (ShinyHunters) Data Breach 2025
~1B records exposed
Allianz Life Data Breach 2025
2.8M records exposed
Workday Data Breach 2025
Undisclosed records exposed
Western Sydney University Data Breach 2025
10K records exposed
Genea Fertility Data Breach 2025
940K records exposed
DeepSeek Data Breach 2025
1M records exposed
Australian Clinical Labs Data Breach 2022
223K records exposed
Qantas Data Breach 2025
5.7M records exposed
Optus Data Breach 2022
9.8M records exposed
Medibank Data Breach 2022
9.7M records exposed
Latitude Financial Data Breach 2023
14M records exposed
MyDeal (Woolworths) Data Breach 2022
2.2M records exposed
Disclaimer: This guide is provided for general informational purposes only and does not constitute legal, financial, or professional advice. The information is based on publicly available sources at the time of writing and may not reflect the most current developments. In The Event Of Pty Ltd (ABN 38 687 352 647) is not affiliated with Tangerine Telecom. If you believe you have been affected by this data breach, we recommend contacting the relevant authorities and seeking professional guidance specific to your circumstances.