Hackers have targeted Australian superannuation funds this week, with a small number of customers losing a combined half a million dollars, and compromising some members’ data, the industry’s peak body says.
The Association of Superannuation Funds of Australia (ASFA) said in a statement on Friday that hackers attempted to breach the cyber defences of a number of superannuation funds last weekend. While the majority of attempts were stopped, several companies were affected, it said.
ASFA said the funds were contacting all affected members to let them know if their data had been compromised.
“Retirement savers should be assured superannuation funds and their service providers already have rigorous cyber protections in place,” ASFA said in a statement.
Hostplus, Rest, AustralianSuper and Australian Retirement Trust were among the funds hit in the attack, national cyber security co-ordinator Lieutenant General Michelle McGuinness confirmed on Friday. Superannuation and banking firms were working with government agencies to respond to the attack, McGuinness said.
Insignia Financial, which oversees brands including MLC and IOOF, said about 100 accounts on its Expand platform had been targeted, but no financial impact to customers had been detected.
Rest said 8000 accounts may have had personal information accessed but no funds were transferred.
AustralianSuper, which has more than 3.4m members, confirmed four of its members had a collective $500,000 taken from their accounts. Stolen passwords were used to log into the accounts of 600 members, and attempt fraud.
“Over the past week, we have seen a spike in suspicious activity across our member portal and mobile app, and we are urging members to take steps to protect themselves online,” the AustralianSuper’s chief member officer, Rose Kerlin, said.
“While we took immediate action to lock these accounts and let those members know, there are things members can do right now to protect themselves online.”
The fund advised members to log into their accounts to make sure their bank and contact details were correct and ensure their account password was strong and unique for the account.
Its members struggled to log in on Friday amid high call-centre traffic and intermittent outages to online services, and those trying to gain access were warned they may not be able to see their accounts or see a $0 balance even if their account was secure.
“Even though you may not be able to see your account, or you are seeing a $0 balance, your account is secure,” the fund said, assuring members it was a temporary glitch.
The prime minister, Anthony Albanese, said on Friday he had been informed about the attack.
“We will respond in time. We’re considering what has occurred. But bear in mind the context here. There is an attack, a cyber-attack, in Australia about every six minutes. This is a regular issue,” he said.
“We have beefed up funding for the Australian Signals Directorate … … We’ll have a considered response to it. But the agencies, of course, will work very strongly on it.”
A spokesperson for Rest superannuation fund said the attack had affected 8,000 of its members, with limited personal data exposed in most of cases, including first names, email addresses and member numbers. The fund said there was a chance other data – including full names, addresses, and account beneficiaries and balances – could have been accessed for fewer than 20 members.
“Due to our incident response protocols, the impact has been limited to less than 1% of our members. Nevertheless, this will be very concerning for the members who have been impacted, and we are very sorry this has happened,” Vicki Doyle, the Rest chief executive, said.
“We are in the process of contacting impacted members to work through what this means for them and provide support. No member funds were transferred out of impacted members’ accounts due to these unauthorised access attempts.”
Australian Ethical said its analysis so far showed the fund was unaffected. It said it appeared that the reuse of previously leaked passwords had exacerbated the attack.
“While the reported attacks appear to involve the reuse of passwords exposed in earlier data breaches, we are not being complacent,” the fund said.
“We have multi-factor authentication for all members and internal controls to protect members in these circumstances.”
A spokesperson for HostPlus said the fund was still investigating, but as of Friday, no losses from members had been discovered.
“Our top priority is the security and privacy of our members and their accounts, and we are taking all necessary measures to protect our systems and data.”
The national cybersecurity coordinator, Lt Gen Michelle McGuinness, said on Friday she was working with agencies across government to coordinate a whole-of-government response.
“The Australian Prudential Regulation Authority (APRA) and Australian Securities and Investments Commission (ASIC) are engaging with all potentially impacted superannuation funds to support safe outcomes for members,” she said.
“Super fund members should follow the advice of their superannuation funds: check your accounts, remain engaged with your funds if you are concerned you have been impacted, and be vigilant of potential fraud.”
Alastair MacGibbon, the chief strategy officer at leading cybersecurity firm CyberCX, said the method of attack used by the hackers, known as credential stuffing, was on the rise.
“Credential stuffing is a growing threat to businesses and individuals, and CyberCX is tracking an increase in these attacks,” he said.
“Nearly every Australian adult has been impacted by a data breach and criminals are using these breaches, often with automated scripts, to conduct credential stuffing attacks at scale.”
MacGibbon advised people to use strong, unique passwords and not to use the same one across multiple accounts. He said organisations should implement multi-factor authentication and conduct data exposure assessments to find out where their credentials were available on the dark web.
ASFA said the industry was working together to improve system-wide defences, including establishing a hotline between the sector and relevant government agencies, improving information sharing, and developing frameworks to combat financial and cybercrime.
