Hackers have targeted Australian superannuation funds this week, compromising some members’ data, the industry’s peak body says.
The Association of Superannuation Funds of Australia (ASFA) said in a statement on Friday that hackers attempted to breach the cyber defences of a number of superannuation funds last weekend. While the majority of attempts were stopped, several companies were affected, it said.
ASFA did not name them but said the funds were contacting all affected members to let them know if their data had been compromised.
“Retirement savers should be assured superannuation funds and their service providers already have rigorous cyber protections in place,” ASFA said in a statement.
The prime minister, Anthony Albanese, said on Friday he had been informed about the attack.
“We will respond in time. We’re considering what has occurred. But bear in mind the context here. There is an attack, a cyber attack, in Australia about every six minutes. This is a regular issue,” he said.
“We have beefed up funding for the Australian Signals Directorate… … We’ll have a considered response to it. But the agencies, of course, will work very strongly on it.”
A spokesperson for Rest superannuation fund said the attack had affected 8,000 of its members, with limited personal data exposed in most of cases, including first names, email addresses and member numbers. The fund said there was a chance other data – including full names, addresses, and account beneficiaries and balances – could have been accessed for fewer than 20 members.
“Due to our incident response protocols, the impact has been limited to less than 1% of our members. Nevertheless, this will be very concerning for the members who have been impacted, and we are very sorry this has happened,” Vicki Doyle, the Rest chief executive, said.
“We are in the process of contacting impacted members to work through what this means for them and provide support. No member funds were transferred out of impacted members’ accounts due to these unauthorised access attempts.”
AustralianSuper confirmed it had been the victim of an attack, with passwords stolen from 600 members used to log into their accounts and attempt fraud.
“Over the past week, we have seen a spike in suspicious activity across our member portal and mobile app, and we are urging members to take steps to protect themselves online,” the AustralianSuper chief member officer, Rose Kerlin, said.
“While we took immediate action to lock these accounts and let those members know, there are things members can do right now to protect themselves online.”
The fund advised members to log into their accounts to ensure their bank and contact details were correct and their account password was strong and unique.
after newsletter promotion
Australian Ethical said its analysis so far showed the fund was unaffected. It said it appeared that the reuse of previously leaked passwords had exacerbated the attack.
“While the reported attacks appear to involve the reuse of passwords exposed in earlier data breaches, we are not being complacent,” the fund said.
“We have multi-factor authentication for all members and internal controls to protect members in these circumstances.”
A spokesperson for HostPlus said the fund was still investigating, but as of Friday, no losses from members had been discovered.
“Our top priority is the security and privacy of our members and their accounts, and we are taking all necessary measures to protect our systems and data.”
Alastair MacGibbon, the chief strategy officer at leading cybersecurity firm CyberCX, said the method of attack used by the hackers, known as credential stuffing, was on the rise.
“Credential stuffing is a growing threat to businesses and individuals, and CyberCX is tracking an increase in these attacks,” he said.
“Nearly every Australian adult has been impacted by a data breach and criminals are using these breaches, often with automated scripts, to conduct credential stuffing attacks at scale.”
MacGibbon advised people to use strong, unique passwords and not to use the same one across multiple accounts. He said organisations should implement multi-factor authentication and conduct data exposure assessments to find out where their credentials were available on the dark web.
ASFA said the industry was working together to improve system-wide defences, including establishing a hotline between the sector and relevant government agencies, improving information sharing, and developing frameworks to combat financial and cybercrime.