A significant cybersecurity incident has impacted multiple Australian superannuation funds, resulting in a collective loss of $500,000 and the compromise of member data. The attack, utilizing the “credential stuffing” technique, underscores the escalating threat of sophisticated cyberattacks targeting the financial sector.
The Association of Superannuation Funds of Australia (ASFA) reported widespread hacking attempts against numerous superannuation funds during the previous weekend. While the majority of attempts were thwarted, several companies experienced successful breaches.
ASFA issued a statement reassuring members: “Retirement savers should be assured superannuation funds and their service providers already have rigorous cyber protections in place.” However, the significant financial losses demonstrate the limitations of current security measures.
The Impact of Australian Superannuation Fund Data Breach
AustralianSuper, a major fund with over 3.4 million members, confirmed that four members suffered a collective loss of $500,000. Stolen passwords allowed hackers to access the accounts of 600 members, leading to attempted fraudulent transactions. Rose Kerlin, AustralianSuper’s chief member officer, acknowledged a “spike in suspicious activity” across their member portal and mobile app, urging members to proactively strengthen their online security.
“While we took immediate action to lock these accounts and let those members know, there are things members can do right now to protect themselves online.”
Rose Kerlin, AustralianSuper’s chief member officer
The fund advised members to verify their bank and contact details and ensure strong, unique passwords.
Other Affected Funds
Other funds affected include Hostplus, Rest, and Australian Retirement Trust. Rest reported that 8,000 accounts may have had personal information accessed, although no funds were transferred.
“Due to our incident response protocols, the impact has been limited to less than 1% of our members. Nevertheless, this will be very concerning for the members who have been impacted, and we are very sorry this has happened.”
Rest’s CEO, Vicki Doyle, stated
Insignia Financial reported approximately 100 accounts targeted on its Expand platform, but no financial impact was detected. HostPlus is still investigating, but as of the report’s publication, no member losses have been discovered.
Prime Minister Anthony Albanese acknowledged the attack, highlighting the alarming frequency of cyberattacks in Australia: “There is an attack, a cyber-attack, in Australia about every six minutes. This is a regular issue.”
The government is actively collaborating with affected firms and relevant agencies to address the situation. The national cybersecurity coordinator is working to coordinate a whole-of-government response, with APRA and ASIC engaging with impacted funds.
The “Credential Stuffing” Attack Method
Alastair MacGibbon, chief strategy officer at CyberCX, identified the attack method as “credential stuffing,” a rapidly growing threat. He stressed the importance of strong, unique passwords and multi-factor authentication for both individuals and organizations.
“Credential stuffing is a growing threat to businesses and individuals, and CyberCX is tracking an increase in these attacks.”
Alastair MacGibbon, chief strategy officer at CyberCX
He also recommended regular data exposure assessments to identify compromised credentials on the dark web.
The ASFA is working to improve system-wide defenses, including establishing a direct communication line between the superannuation sector and government agencies, enhancing information sharing, and developing frameworks to combat financial and cybercrime.
