A coordinated cyberattack targeting major Australian superannuation funds has exposed significant vulnerabilities within the $4.2 trillion industry. The attack, exploiting the common practice of “credential stuffing” – reusing passwords across multiple accounts – compromised several leading funds, highlighting the urgent need for enhanced security measures.
The attack impacted Australian Retirement Trust, AustralianSuper, HostPlus, Rest, Insignia Financial, and Cbus, collectively managing over $1 trillion in assets and serving 12.6 million members. The breach resulted in confirmed losses of $500,000 for four members of AustralianSuper, underscoring the severity of the situation.
Regulatory Scrutiny and Multi-Factor Authentication (MFA)
The Australian Prudential Regulation Authority (APRA) has significantly increased its scrutiny of the industry, having previously warned about cybersecurity risks as early as May 2023. In a letter sent to all regulated entities, including banks and superannuation funds, APRA emphasized multi-factor authentication (MFA) as one of the “most effective controls an organisation can implement.”
APRA’s general manager of operational resilience, Alison Bliss, highlighted existing implementation gaps even then, stating: “APRA has noted examples where MFA for customers has been deployed on an opt-in basis, or where exceptions have been granted for customers without mobile phones or located in areas without reliable phone reception. Other examples include remote access being provided for third-party staff without associated MFA.” Bliss further emphasized that APRA considers insufficient MFA coverage a material security weakness, requiring notification to the authority.
The response from the affected funds varied. HostPlus utilizes MFA for its member online portal and app. Rest employs MFA for app and portal registration, with plans to expand it to all logins. Australian Retirement Trust offers optional MFA and additional security for specific transactions. Insignia Financial and Cbus use MFA for key activities like withdrawals and account changes. AustralianSuper, which experienced the $500,000 loss, currently uses MFA for fund withdrawals via its website and app, with a planned wider rollout by the following month.
Industry Response and Future Prevention
APRA is collaborating with the Australian Securities and Investments Commission (ASIC) and the National Office of Cyber Security to address the situation. While APRA doesn’t mandate MFA, the Financial Services Council requires its members to implement it by July 2026. Arctic Wolf’s director of security services, Mark Thomas, advocates for mandatory MFA across all financial services, stating: “Purely in credential stuffing, having MFA would help limit hackers’ ability to compromise the users’ credentials.” He further stressed the importance of a holistic approach to identity and access management, considering factors like login location and user behavior to minimize risk. The Department of Home Affairs confirmed ongoing coordination across government and industry stakeholders.
