Who was affected?
On Friday April 4th, criminals hacked into thousands of industry and retail superannuation accounts, with up to 9,000 accounts compromised, but only AustralianSuper experiencing member losses with $500,000 stolen across four accounts. Which were in the pension phase and thus had the legal ability to draw down funds without restrictions. The attack caused panic across the $4.2 trillion sector, with members crashing funds’ websites and apps as millions rushed to check their super balances.
AustralianSuper, which has 3.52 million customers and $367.1 billion in funds under management, has vowed to refund the members who had funds stolen, and said the cyber criminals may have used up to 600 members’ stolen passwords to log into their accounts, in an attempt to commit fraud. REST Super, which has $92 billion in assets under management and 2 million members, similarly stated about 8,000 members were affected by the attack, with Australian Retirement Trust reporting 200 affected, and retail super fund MLC Expand, owned by Insignia Financial, provider reporting 100. Cybercriminals used a technique called “credential stuffing,” where they use details leaked in a different incident and likely found on the dark web, to get into accounts that have the same passwords.
In an incident around the same time, several funds also reporting criminals impersonating key executives in a bid to get access to their systems.
Not-so-super funds?
Following the attack, the Australian Prudential Regulation Authority (APRA) wrote to funds telling them to report by midday on Monday April 7th if they had also been breached, with Cbus subsequently saying it had noticed suspicious activity on its accounts. The industry fund reported an unusually high spike in log-in attempts, which occurred shortly after the cyber-attack that impacted other funds. The delayed response has caused anger from some investors, who were disappointed by Cbus’ poor disclosure to members and lack of customer service amidst widespread panic across the sector.
In February 2023, APRA issued a warning to super funds of increasing risk to the industry from cyber breaches and fraud, and the need for them to ramp up their security measures. Investors and regulators have thus both expressed concern at the sector’s seeming inability to adequately address these risks and keep on top of cybersecurity, and the lack of transparency they provided members around their security measures and what they could do to prevent breaches (like using different passwords to their other accounts). This has caused some investors to question whether an industry fund is right for them and investigate alternatives.
What should you do?
If you have an industry fund:
- Log in to check for any unauthorised access to your account
- Regularly update your password
- Enable multi-factor authentication if available
If you still feel uneasy about the safety of your superannuation, please reach out to our team.
