Superannuation cyberattack: AustralianSuper, REST among major funds hacked by co-ordinated bid to steal data

Some of Australia’s biggest superannuation funds have been hit by what appears to be a concerted cybersecurity attack on the $4 trillion industry, with $500,000 of retirement savings confirmed to have been lost.

AustralianSuper on Friday confirmed its defences had been breached, with up to 600 accounts compromised “in attempts to commit fraud”, with member passwords stolen.

It’s understood four AustralianSuper members have lost a combined total of $500,000. AustralianSuper was the only fund to confirm money had been taken.

“While we took immediate action to lock these accounts and let those members know, there are things members can do right now to protect themselves online,” AustralianSuper chief member officer Rose Kerlin said.

“Over the past week, we have seen a spike in suspicious activity across our member portal and mobile app, and we are urging members to take steps to protect themselves online.”

Meanwhile, the cyberattack had compromised the details of least 8000 retail workers’ default fund REST.

REST chief executive Vicki Doyle said it immediately shut down its member access portal once it became aware of “some unauthorised activity” on March 29-30. As a result, the impact had been limited to less than one per cent of its members.

“No member funds were transferred out of impacted members’ accounts due to these unauthorised access attempts,” Ms Doyle said.

“At this stage, we believe that some of our members may have had limited personal information accessed and we are currently working through this with those impacted members.”

Ms Doyle said some members’ personal information such as their first name, email address and member number may have been accessed.

Australian Retirement Trust, Hostplus and the biggest retail super fund Insignia were also breached.

Association of Superannuation Funds of Australia said while the majority of the attempts were repelled, “unfortunately a number of members were affected”.

“Funds are contacting all affected members to let them know and are helping any whose data has been compromised.”

“Retirement savers should be assured superannuation funds and their service providers already have rigorous cyber protections in place. “

“In a rapidly evolving threat landscape there will always be new and emerging risks, but Australia’s super sector is proactively working together to improve system-wide defences, including through the ASFA Financial Crime Protection Initiative.”

National cybersecurity co-ordinator lieutenant general Michelle McGuinness said she was aware of cybercriminals targeting individual account holders of a number of super funds.

“I am co-ordinating engagement across the Australian government, including with the financial system regulators, and with industry stakeholders to provide cybersecurity advice,” she said.

“If you have been impacted or are concerned you may have been impacted, follow the advice provided by your super fund.”

Superannuation funds are urging their members to check accounts for signs of fraud, ensure their banking and contact details are correct, and change their password if it is not unique to their account.

Prime Minister Anthony Albanese said government agencies would investigate the attack but he warned that online attacks had become common in Australia.

“We will respond in time, we’re considering what has occurred,” Mr Albanese said.

“But bear in mind the context here: there is an attack, a cyber attack in Australia about every six minutes.”

Cybersecurity expert Alastair MacGibbon said the attack appeared to be an example of “credential surfing”, where criminals use stolen credentials from one platform to gain unauthorised access to multiple user accounts.

“In effect, if people use the same passwords for multiple accounts, it only takes one data breach for persistent and savvy criminals to gain unauthorised access to their other accounts,” said Mr MacGibbon, who is the chief strategy officer at CyberCX and a former national cybersecurity adviser.