Early indications are that a recent rash of cyber attacks on Australia’s biggest superannuation funds were a credential stuffing campaign making use of information from older data breaches. Despite the national focus on cybersecurity in recent years, the attacks compromised at least a few hundred accounts and led to the theft of at least AUD 500,000.
Much of that came from the account of one unfortunate pensioner, but other superannuation funds have yet to release full details of their cyber attacks as investigations continue. Some of the funds, which generally handle millions of accounts, reported only several hundred compromises. But at least one reported 20,000 accounts breached, or about 1% of its total customer base.
Lack of MFA options may have contributed to superannuation funds raid
Though only about several hundred clients from most of the superannuation funds were found to have had their accounts breached, many more logged in after seeing this news to be shocked by a zero balance or to find that the website was unable to let them in. One of the largest funds, AustralianSuper, said that it was experiencing “glitches” during the cyber attack cleanup and that some members might see a zero balance temporarily while actually not being impacted by the breach. AustralianSuper is also the source of most of the reported AUD 500,000 known to be stolen at this point, saying that well over $400,000 came from the account of one pensioner.
Australian Ethical, a superannuation fund that reported attempts but no successful account breaches, said that it detected the attackers using passwords previously leaked in prior data breaches. That points to a simple credential stuffing campaign, but one that seems to have been large and well-coordinated.
Some of the impacted clients point to lack of MFA options at many of these companies as a contributing factor. Though the Financial Services Council is pushing for it to be mandatory for superannuation funds in a little over a year, customers say that they were told by certain funds as recently as a few weeks ago that MFA is not offered because it is not necessary.
Simple cyber attack nevertheless penetrates over 20,000 accounts
Though it made use of old already-leaked account credential combinations, and though Australia has been on high alert for cyber incidents since at least 2023, the cyber attack was nevertheless able to land quite a few targets and cause some notable damage.
Rest Super, the largest superannuation fund in the country for retail workers, seems to be the hardest-hit thus far with about 20,000 accounts breached. However, it is unknown how much (if any) money was taken. Other large funds have reported that the cyber attack hit only about 100 accounts and there is no evidence of money being taken.
The possibility of personal information being exposed is at least equally concerning, given the total number of accounts impacted. However, this damage also may have been limited. Rest said that the attackers would have only had access to first names, email addresses and member numbers for all for about 20 people. That smaller group may have had full names, addresses, and account beneficiaries and balances exposed, but there is no indication of bank information or national ID numbers being involved as of yet.
Australia is in the midst of an expansive seven-year plan to overhaul its data privacy laws and cybersecurity standards, spurred on in 2023 by a string of massive data breaches that caused millions of citizens to change their national ID numbers and get new photo IDs issued. The government has acknowledged the rash of superannuation fund cyber attacks, indicating that it is coordinating its response with leading industry body The Association of Superannuation Funds of Australia.
