Cyber Attacks on Australian Super Funds: What We Know So Far
The breaches, discovered over a weekend, were linked to the theft of hundreds of thousands of dollars from member accounts. Experts suggest the attacks were relatively unsophisticated and resulted from basic security weaknesses in the superannuation sector, such as the lack of multi-factor authentication (MFA). These breaches should act as a wake-up call for the industry to strengthen their cybersecurity protocols.
The cybercriminals behind the attacks are believed to have used stolen passwords, with some reports indicating that up to 600 passwords were used to access accounts. The technique used is known as "credential stuffing," where stolen login credentials from previous data breaches are tested across multiple platforms. Experts highlight that superannuation funds were particularly vulnerable due to the absence of multi-factor authentication, a key security measure that could have prevented unauthorized access even with stolen passwords. While many attempts were blocked, some funds were successfully compromised, and affected customers are still experiencing issues accessing their accounts.
In response to the breach, superannuation funds are reassuring members that they are working to rectify the situation, and victims will likely be reimbursed, as most super funds have fraud insurance. Cybersecurity experts have called for the industry to adopt stronger security measures, including mandatory MFA, which will be enforced by the Financial Services Council by 2026. In the meantime, customers are urged to change their passwords and ensure they use unique credentials across all accounts. Experts also recommend that super funds implement more sophisticated fraud detection systems to prevent future attacks.