Australian superannuation funds hit by coordinated cyberattack

Several of Australia's largest superannuation funds have been targeted in what appears to be a coordinated cyberattack, resulting in stolen funds and compromised member data.

Superannuation funds are investment accounts in Australia designed to help individuals save for retirement. Employers are required to contribute a percentage of an employee's earnings into these funds, which then invest the money to grow until the employee reaches retirement age.

The Association of Superannuation Funds of Australia (ASFA) confirmed on Friday 4th of April that while most attempted breaches were stopped, several companies were affected by attacks that took place last weekend.

 Impacted funds:

• AustralianSuper: Confirmed that four members had approximately $500,000 stolen from their accounts. Hackers used stolen passwords from 600 members to attempt fraud.
• REST Super: Reported that 8,000 members (less than 1% of total membership) were affected, with most exposures limited to first names, email addresses, and member numbers. For fewer than 20 members, more sensitive data may have been accessed, including full names, addresses, account beneficiaries, and balances. The fund stated no member funds were transferred out of affected accounts.
• Australian Retirement Trust, Hostplus, and Insignia (owner of MLC): Also confirmed as being breached, according to AFR Weekend reporting.
• HostPlus: Still investigating but stated no member losses had been discovered as of Friday.
• Australian Ethical: Reported its analysis showed the fund was unaffected.

Total number of affected individuals and total money stolen is not disclosed.

Security experts identified the attack as "credential stuffing" - a technique where hackers use passwords stolen in previous data breaches to attempt to access accounts across multiple services. This approach was particularly effective against users who reuse the same password across different platforms.

Alastair MacGibbon, chief strategy officer at cybersecurity firm CyberCX, noted: "Nearly every Australian adult has been impacted by a data breach and criminals are using these breaches, often with automated scripts, to conduct credential stuffing attacks at scale."

ASFA stated that affected funds are contacting members whose data was compromised. The national cybersecurity coordinator, Lt Gen Michelle McGuinness, confirmed she is working with agencies across government to coordinate a response. Australian Prudential Regulation Authority (APRA) and Australian Securities and Investments Commission (ASIC) are engaging with potentially impacted funds.

Superannuation funds are advising members to:

• Check their accounts for unauthorized activity
• Verify that bank and contact details are correct
• Use strong, unique passwords for their accounts
• Implement multi-factor authentication where available