Media statement: Tangerine cyber incident

Wednesday, 21 February 2024
Tangerine has been impacted by a cyber incident that has resulted in the unauthorised disclosure of some of our customer data. 
It appears the unauthorised disclosure of certain personal information occurred on Sunday 18 February 2024 and was first reported to Tangerine management on Tuesday 20 February 2024.  
We can confirm that no credit or debit card numbers have been compromised, as we do not store this information. No driver’s licence numbers, ID documentation details, banking details or passwords have been disclosedas a result of this incident. 
The following personal information was disclosed: full name, date of birth, mobile number, email address, postal address and Tangerine account number. 
Upon learning of the incident, we immediately began an investigation to determine how this occurred. This investigation is ongoing and is being treated with the utmost priority. 
We know that the unauthorised disclosure relates to a legacy customer database and has been traced back to the login credentials of a single user engaged by Tangerine on a contract basis.  
As soon as we learnt of this incident, we took steps to prevent any unauthorised access to our data. 
We have taken precautionary steps to fully revoke network and systems access for the individual user’s credentials and we have also changed all other team usernames and passwords. Access to the affected legacy database has also been closed. 
We have engaged an external cyber specialist to undertake a full and thorough investigation, and we are in contact with the Australian Cyber Security Centre. We have also notified the Office of the Australian Information Commissioner of this incident. 
Approximately, 232,000 current or former Tangerine customer accounts are impacted dating from June 2019 to July 2023. All impacted customers have been notified by email on Wednesday 21 February 2024. 
All Tangerine customer accounts are protected with Multi-Factor Authentication (MFA). MFA provides an extra layer of protection, as it requires customers to enter a temporary code which is texted to their mobile in order to log into their account online or make changes to their account over the phone. MFA remains active for all customers and is unaffected by this incident. 
This incident does not affect the availability or operation of our nbn® or mobile services – they continue to operate as normal and remain safe to use. 
We encourage affected individuals to utilise the following resources to help recognise and report scams and other cyber issues: 
  • ID Care – supports individuals impacted by data breaches. Find out more here. 
  • Scamwatch – learn how to recognise, avoid and report scams here. 
  • Australian Cyber Security Centre (ACSC) – find out more ways to protect yourself online here. 
  • Tangerine’s Online Safety & Cyber Security page. 
  • Tangerine’s Customer Guidance on Scam Phone Calls & SMS – find out more here. 
  • Tangerine’s ID Authentication for Account Changes & Fraud Awareness – find out more here. 
Quotes attributable to Tangerine CEO Andrew Branson: 
“No one is more disappointed than me. As a founder-led organisation, my brother and I put everything we can into the business along with a very talented, committed team.  
Anything that negatively impacts our loyal customer base hurts, and we sincerely apologise to them for this incident.  
Thankfully, over recent years we’ve taken multiple pre-emptive steps which have included reviewing what data we really need to keep and what we can live without. That’s why we don’t hold any driver's licences, any ID documents or any credit card numbers.  
Moving forward, we are fully committed to learning from this incident and implementing necessary improvements to prevent similar occurrences in the future.”

Go Back