Representation. A hacker.
Representation. A hacker.

Hackers targeted Australian superannuation funds this week, stealing a total of AU$500,000 from a few customers and compromising some members' personal data, according to the Association of Superannuation Funds of Australia (ASFA).

Stolen passwords

The superannuation consultant on Friday said that cybercriminals tried to breach the security systems of multiple superannuation funds last weekend. While most attacks were blocked, some companies were affected, The Guardian reported.

ASFA did not name the impacted funds but confirmed they were reaching out to affected members to inform them if their data had been compromised. It reassured retirement savers that superannuation funds and their service providers already have strong cybersecurity measures in place.

AustralianSuper reported that four of its members lost a combined AU$500,000 in the attack. The hackers used stolen passwords from 600 members to log into accounts and attempt fraud.

"Over the past week, we have seen a spike in suspicious activity across our member portal and mobile app, and we are urging members to take steps to protect themselves online," the AustralianSuper's chief member officer, Rose Kerlin, said.

"While we took immediate action to lock these accounts and let those members know, there are things members can do right now to protect themselves online."

Albanese vows strong government response

Prime Minister Anthony Albanese said on Friday that he had been informed about the cyberattack. He acknowledged that cyberattacks happen frequently in Australia, with one occurring approximately every six minutes.

Albanese emphasized that the government was aware of the issue and was taking it seriously. He also noted that funding for the Australian Signals Directorate has been increased to strengthen cybersecurity efforts.

He assured that the relevant agencies are actively working on the situation and that the government will provide a well-planned response.

Australian Ethical unaffected, HostPlus investigates

Australian Ethical reported that its fund was unaffected, attributing the attack to the reuse of previously leaked passwords. The company emphasized its security measures, including multi-factor authentication and internal controls, to protect members.

HostPlus stated that it was still investigating, but had found no evidence of financial losses among its members. The fund reiterated its commitment to safeguarding member accounts and data.

National cybersecurity coordinator Lt. Gen. Michelle McGuinness confirmed that government agencies were working together on a coordinated response.

Regulatory bodies, including the Australian Prudential Regulation Authority and the Australian Securities and Investments Commission, were engaging with affected superannuation funds to ensure member protection.

Cybersecurity expert Alastair MacGibbon highlighted that the attack was carried out using credential stuffing, a growing cyber threat. This method involves hackers using stolen credentials from previous data breaches and automated scripts to gain unauthorized access to accounts.

The rise in such attacks poses a massive risk to businesses and individuals, with nearly every Australian adult having been affected by data breaches.

Read more