Hackers have successfully utilized a technique known as credential stuffing to steal a significant amount of AU$500,000 while breaching over 20,000 member accounts of Australia’s largest pension funds. This coordinated cyberattack, which targeted superannuation funds, has raised concerns about the security of user accounts and the protection of financial assets.
The Australian Financial Review first reported on this cyberattack, revealing that multiple super funds were simultaneously targeted by hackers. Among the impacted funds, AustralianSuper, the country’s largest fund with 3.4 million members and AU$360 billion in assets, detected suspicious activities that compromised approximately 600 member accounts. Despite this breach, no financial theft occurred within AustralianSuper, as the company promptly disabled certain functions on its mobile app and online accounts to safeguard member information.
In response to the incident, AustralianSuper faced an influx of inquiries from concerned members regarding the security of their accounts and the potential impact of the cyberattack. The company assured its members that any changes in account balances were likely due to market fluctuations rather than fraudulent activities. However, the high volume of inquiries led to intermittent outages on the company’s call center, online accounts, and mobile app.
Similarly, Hostplus, another superannuation fund, reported hacking activities that did not result in financial losses thanks to the robust security measures in place, such as multi-factor authentication and web application firewalls. Nevertheless, the heightened public interest in the cyber incident prompted a surge in login attempts by members, straining the company’s systems and disrupting services.
The Association of Superannuation Funds of Australia acknowledged the cyberattacks on multiple superannuation funds and confirmed their impact on member accounts. This acknowledgment comes in the wake of growing concerns about the industry’s vulnerability to cyber threats, prompting the government to coordinate a response to safeguard member assets.
According to reports, hackers compromised over 20,000 superannuation fund accounts during the coordinated attacks on targeted funds, including AustralianSuper and Rest. Rest Super disclosed that approximately 8,000 members had their personal information accessed, such as names, email addresses, and member IDs, but no funds were transferred out of the affected accounts.
The AU$4 trillion superannuation industry has come under scrutiny for its inadequate cybersecurity controls, as evidenced by recent breaches and cyberattacks on various super funds. These incidents highlight the urgent need for enhanced protections to safeguard member accounts and prevent future breaches that could jeopardize retirement savings.
Super Consumers Australia CEO Xavier O’Halloran condemned the recent cyberattacks on superannuation funds, calling for immediate action to strengthen protections against fraudsters, scammers, and cybercriminals. O’Halloran emphasized the importance of ensuring the security of Australians’ retirement savings and urged the government to enact stricter regulations to mitigate cyber risks within the superannuation system.
In light of these cyber threats and breaches, the superannuation industry faces mounting pressure to prioritize cybersecurity measures and safeguard member assets against malicious actors seeking to exploit vulnerabilities in the financial sector. The incident underscores the critical need for proactive security measures and collaborative efforts to fortify the resilience of Australia’s pension funds in an increasingly digitized and interconnected landscape.