Top Australian Pension Funds Breached in Coordinated Hacks

Australia’s largest pension funds faced coordinated credential attacks last week that compromised thousands of user accounts and led to the theft of at least AU$500,000 from four superannuation accounts.

See Also: New Attacks. Skyrocketing Costs. The True Cost of a Security Breach.

The Australian Financial Review reported on Friday that the country’s largest superannuation funds – locally known as super funds – faced simultaneous cyberattacks by hackers.

AustralianSuper, the country’s largest fund with AU$360 billion of 3.4 million members, said Monday that it encountered suspicious activity over the past week that compromised about 600 member accounts but did not involve financial theft.

The super fund said it immediately disabled some functions of its mobile app and online accounts to protect member accounts, which meant members could not change their bank account information or contact details. If members noticed a change in their account balance, the change could have resulted from volatility in the financial markets rather than suspicious or fraudulent activity, the firm said.

The company’s assurances did little to calm members’ fears about the security of their life savings. The fund said it has been inundated with calls from members asking about the cyber incident and the affect to their accounts.

“We are experiencing a high volume of traffic to the call center, member online accounts and the mobile app that may cause intermittent outages,” AustralianSuper said. “We are also undertaking a range of planned maintenance to address this issue that may result in the portal and app being offline at times.”

David Elia, chief executive officer of superannuation fund Hostplus, said the company also experienced hacking activity over the past week but it did not result in any financial losses. “We believe that the strong security safeguards we have in place, including multi-factor authentication and web application firewall, combined with heightened monitoring protocols, have helped mitigate any impacts,” he said.

Elia said strong public interest in the incident prompted members to attempt to log in to their accounts simultaneously, putting significant stress on the company’s systems and disrupting the Member Online service and the Hostplus application.

The Association of Superannuation Funds of Australia, the superannuation industry’s top policy advocacy body, acknowledged the cyberattacks on multiple superannuation funds. The group confirmed that the attacks affected some member accounts, and the funds are updating members on the impact to their accounts.

Following growing public outcry over the superannuation industry’s vulnerability to attacks, National Cybersecurity Coordinator Michelle McGuinness said she was aware of cybercriminals targeting individual account holders of superannuation funds and has been working with government agencies, financial regulators and industry bodies to coordinate a whole-of-government response to the incident.

“The Australian Prudential Regulation Authority and Australian Securities and Investments Commission are engaging with all potentially impacted superannuation funds to support safe outcomes for members,” she said.

According to Reuters, hackers compromised more than 20,000 superannuation fund accounts during the coordinated attacks. The targeted super funds included AustralianSuper, Australian Retirement Trust, Rest, Insignia and Hostplus.

Rest Super said the malicious activity affected about 8,000 members who had some of their personal information accessed in the form of names, email addresses and member identification numbers. “No member funds were transferred out of impacted members’ accounts due to these unauthorized access attempts,” the fund said.

The AU$4 trillion superannuation industry has been criticized for not doing enough to improve cybersecurity controls for member accounts and suffering breaches as a result. Super fund NGS Super suffered a cyberattack in March 2023 that compromised members’ personal information but did not affect their funds because member savings were stored on a separate platform.

Super Consumers Australia CEO Xavier O’Halloran described the recent coordinated attacks on superannuation funds as “shocking and unsettling,” saying the incident creates an urgent need for the funds to step up protections for member accounts.

“Australians are legally required to put their money into super. Today’s news is chilling when we know super funds aren’t doing enough to protect Australians’ retirement savings,” O’Halloran said. “When something goes wrong, too many people are being left without support, answers or access to their own money.”

“We’re calling on the next government to urgently extend the new protections to safeguard Australians’ retirement savings against fraudsters, scammers and cybercriminals. The super system has no excuse to be unprepared. It’s time to meet community expectations and protect people’s money when it matters most,” O’Halloran said.