Hackers have targeted Australian superannuation funds this week, resulting in a collective loss of half a million dollars from a small number of customer accounts and compromising the data of several members, the industry’s peak body reported. The Association of Funds of Australia (ASFA) stated on Friday that hackers attempted to breach the cyber defenses of multiple superannuation funds over the weekend. While the majority of hacking attempts were thwarted, several companies were affected.
ASFA mentioned that the funds were notifying all impacted members if their data had been compromised. National cybersecurity coordinator Lieutenant General Michelle McGuinness confirmed that prominent funds like Hostplus, Rest, AustralianSuper, and Australian Retirement Trust were among those impacted by the attack. Superannuation and banking firms collaborate with government agencies to respond to the breach.
Insignia Financial, which manages brands including MLC and IOOF, reported that around 100 accounts on its Expand platform had been targeted, but no financial losses to customers had been detected. The rest of the superannuation fund said that up to 8,000 accounts might have accessed personal information, though no funds were transferred. AustralianSuper, which serves over 3.4 million members, confirmed that four of its members had $500,000 siphoned from their accounts.
The hackers used stolen passwords to log into the accounts of 600 members and attempted fraud. We have seen a spike in suspicious activity across our member portal and mobile app, and we are urging members to protect themselves online,” said Rose Kerlin, the chief member officer at AustralianSuper. The fund advised members to check their bank and contact details and to ensure their account passwords were strong and unique.
Members of AustralianSuper reported difficulty logging in on Friday, experiencing high call center traffic and intermittent service outages.
Superannuation funds’ data breach impact
The fund assured members that their accounts were secure despite being unable to see their accounts or seeing a $0 balance.
Prime Minister Anthony Albanese acknowledged the cyberattack on Friday, highlighting the regularity of such incidents in Australia and noting the government’s ongoing efforts to bolster cybersecurity. Rest Superannuation Fund’s CEO, Vicki Doyle, apologized for the breach affecting its members, stating that despite no financial transfer from the compromised accounts, data exposure was concerning. Australian Ethical reported that it was unaffected by the attack, attributing the issue to reusing previously leaked passwords.
The fund emphasized the importance of multi-factor authentication and vigilance against credential-stuffing attacks. HostPlus representatives stated the fund was still investigating but had identified no member losses thus far. They emphasized the priority placed on the security and privacy of their members’ accounts.
Lt. Gen Michelle McGuinness noted that government agencies, including the Australian Prudential Regulation Authority (APRA) and the Australian Securities and Investments Commission (ASIC), collaborated with potentially impacted super funds to ensure safe outcomes for members. She advised super fund members to stay vigilant and follow the guidance provided by their funds.
Alastair MacGibbon, chief strategy officer at CyberCX, explained that credential stuffing, a method used by hackers, is becoming increasingly common. He urged individuals to use strong, unique passwords and recommended organizations implement multi-factor authentication to mitigate such risks. ASFA concluded that the industry is working collectively to enhance system-wide defenses, including establishing better communication and collaboration frameworks to combat financial and cybercrime.
Image Credits: Photo by Joshua Woroniecki on Unsplash
