A coordinated cyberattack has struck several major Australian superannuation funds, resulting in the theft of $500,000 from a small number of customer accounts and the potential compromise of thousands more.
The attack, which unfolded over the past week, targeted some of the country’s largest retirement savings providers, prompting a swift response from the government and the industry’s top cybersecurity authorities.
The Association of Superannuation Funds of Australia (ASFA) confirmed on Friday that while the majority of attempted breaches were thwarted, several companies were affected by the intrusion. Hackers used stolen credentials to exploit member portals and apps, exposing the data and funds of a limited number of individuals.
AustralianSuper, one of the country’s largest funds with over 3.4 million members, was among the hardest hit, according to The Guardian. Four of its members lost a combined total of $500,000 after attackers accessed accounts using stolen passwords. Fraudulent login attempts were detected across 600 accounts, triggering a lockdown of suspicious profiles and direct notifications to affected members.
“Over the past week, we have seen a spike in suspicious activity across our member portal and mobile app,” said Rose Kerlin, Chief Member Officer at AustralianSuper. “We took immediate action to lock these accounts and notify members. However, we urge all members to take steps to protect themselves online.”
AustralianSuper advised its members to review and update their account information, ensure passwords are strong and unique, and remain alert to signs of fraud. Some members experienced difficulties accessing their accounts on Friday, encountering system outages and viewing incorrect $0 balances. The fund reassured users that these were temporary glitches and their accounts remained secure.
Other super funds impacted in the cyberattack include Hostplus, Rest, the Australian Retirement Trust, and Insignia Financial – which oversees brands like MLC and IOOF. While Insignia detected suspicious activity on about 100 accounts within its Expand platform, no financial losses were reported.
Rest confirmed that around 8,000 member accounts may have had personal data accessed, including first names, email addresses, and member numbers. In fewer than 20 cases, more sensitive information such as full names, addresses, and account balances may have been exposed. However, no funds were transferred out.
Australian Ethical said its systems appeared unaffected but acknowledged the broader threat posed by reused credentials from previous data breaches.
Hostplus stated it was still investigating but had not identified any member losses as of Friday.
The attack method employed by the hackers is known as credential stuffing, in which automated scripts use stolen usernames and passwords from past breaches to attempt logins across multiple platforms.
“Credential stuffing is a growing threat to businesses and individuals,” said Alastair MacGibbon, Chief Strategy Officer at cybersecurity firm CyberCX. “Nearly every Australian adult has been impacted by a data breach, and criminals are using these breaches at scale.”
Lieutenant General Michelle McGuinness, Australia’s national cybersecurity coordinator, confirmed that her office was working with government agencies to coordinate a whole-of-government response. Agencies involved include the Australian Prudential Regulation Authority (APRA) and the Australian Securities and Investments Commission (ASIC).
Prime Minister Anthony Albanese addressed the situation on Friday, acknowledging the attack and the broader cybersecurity threat landscape facing the nation.
ASFA said the superannuation sector is collaborating closely with government bodies to bolster defences, including establishing a direct hotline for threat sharing and developing frameworks to prevent future financial and cybercrime.
You must be logged in to post a comment.