At least A$500,000 was stolen in a major cyber-security breach involving thousands of Australian superannuation accounts on Friday.
Four AustralianSuper customers lost $500,000 (US$305,000), according to the Australian Financial Review (AFR) and Australian newspapers, in what Australia’s biggest super fund described as a spike in suspicious activity on around 600 member accounts.
Media reports suggest the coordinated attack also involved Australian Retirement Trust, Hostplus, Rest and Insignia Financial (ASX: IFL).
The AFR reported that the attack involved thousands of accounts across the five funds, while Insignia told the Australian Securities Exchange (ASX) suspicious activity was found on about 100 accounts on its Expand Platform.
Insignia said the attack appeared to involve malicious third-party undertaking “credential stuffing”, whereby large volumes of stolen username and password pairs are used to gain unauthorised access to accounts.
“I am co-ordinating engagement across the Australian government, including with the financial system regulators, and with industry stakeholders to provide cybersecurity advice,” National cyber security co-ordinator Lieutenant General Michelle McGuinness was quoted as saying.
AustralianSuper, which manages $365 billion, said steps taken to safeguard members’ accounts included locking accounts, notifying members via SMS or email and disabling some mobile app and online account functionality for all members.
“As a result, AustralianSuper members will not be able to change their bank account or contact details at this time. We regret the inconvenience this will cause some members,” the fund said in a statement on its website.
The Association of Superannuation Funds of Australia (ASFA) said although most attempts to break through some funds' cyber-defences were repelled, some members were affected.
“Retirement savers should be assured superannuation funds and their service providers already have rigorous cyber protections in place,” ASFA said in a media release.
Liz McCarthy, CEO of Insignia’s MLC Expand, said: “As is good practice, we encourage customers not to reuse the same credentials across multiple platforms and services, set strong and unique passphrases, and install software updates regularly to keep their devices secure.”
