Australia’s circa $4 trillion super industry and its members were hit by a large and co-ordinated cyberattack last Friday that compromised thousands of accounts and led to some members losing retirement savings.
Members of funds including Australian Retirement Trust, Rest, Hostplus, AustralianSuper and Insignia – were targeted by cybercriminals who likely acquired their account information (things like their name, email, password) on the dark web after it was stolen in a different hack.
At AustralianSuper, those criminals were successful in stealing at least a combined $500,000 from four members in the retirement phase. The attackers likely changed account details in the middle of the night so that members wouldn’t notice.
AustralianSuper would not confirm to Investment Magazine whether the changes would have triggered two factor authentication security. The fund is working with police to recover the money, but said it would be able to make the impacted members whole out of its operational risk reserve.
In the aftermath of the attack, super fund apps crashed as members rushed to check their accounts and rumour and hearsay swirled. Investment Magazine understands that at least one fund has been dealing with this problem for the past month, with questions swirling about when regulators became involved.
APRA is directing all inquiries to the National Cyber Security Co-Ordinator, which declined to answer a list of detailed questions from Investment Magazine, instead attaching a general statement made by Lieutenant General Michelle McGuinness on social media site X (formerly Twitter).
While the Association of Superannuation Funds of Australia (ASFA) issued a statement last Friday, it declined to comment on when it became aware that the industry was being targeted. Senior executives at a number of administrators and super funds also declined to comment. The issue has been escalated to intelligence agency, the Australian Signals Directorate.
Scams in focus
The Conexus Institute* has consistently warned that members could lose money to scams. In a January report, Systemic Impacts of ‘Big Super’, The Conexus Institute warned that activities like cold calling and social media click-bait super could be “the tip of the iceberg”, and that members in the retirement phase were a lucrative target for scammers owing to the fact that many members had higher balances and assets can almost immediately be withdrawn.
With few exceptions – those already being public – most of the fund chiefs Investment Magazine canvassed on Friday afternoon could definitively say that their members hadn’t been exposed to any threat.
But while most of the executives could say member money hadn’t been compromised, the attack will only heighten scrutiny on funds and their administration arrangements at a time when the industry is already under fire for lax service. As Super Consumers Australia pointed out, superannuation isn’t currently included in the new Scams Prevention Framework, which is “intended to lift protections for customers of banks, telecommunications providers and digital platforms”.
And regulators and commentators have been warning for years that, when it comes to protecting their members from scams, super funds need to do more.
Members at risk
In November 2023, APRA chair John Lonsdale said funds and other financial institutions hadn’t moved quickly enough to improve cyber resilience and that many were having a hard time “ensuring third party controls are effective, making sure that systematic security control testing is in place, and regularly testing incident response plans”. And ASIC wrote to trustees in January of this year to warn them that they needed to “strengthen anti-scam practices or risk exposing members to harm” following a review of 15 trustees that found none had an organisation-wide scams strategy in place.
That letter attracted criticism from ASFA, which said ASIC “appeared to ignore the significant steps the sector has taken to effectively protect super savings”.
“ASIC’s letter to superannuation trustees… seemingly ignores the super sector’s proactive measures to tackle these rare super scams, measures which ASIC is aware of,” said ASFA CEO Mary Delahunty. “… ASIC appears to have come to the confusing conclusion that no evidence of scams existing or increasing means that the scammers are winning – instead of the other more reasonable conclusion, that the work of super funds and their services providers is effective.
But while the breach is of significant scale, the fact that members of the majority of funds targeted did not lose money might demonstrate that super funds are indeed alive to the risk and proactively managing it.
Once Rest noticed the suspicious activity, it immediately shut down its online MemberAccess portal, and launched an investigation and its cyber security protocols. It has also contacted members that might have had their personal details compromised. Insignia also acted quickly once it detected suspicious activity and says that at this stage there has been no financial impact to its customers and that its cyber security team is “actively working to apply additional monitoring and mitigations to protect customer accounts”. AustralianSuper said that it took “immediate action” to lock member accounts when it realised they were being targeted.
For the four members that had money stolen, that’s unlikely to be good enough. And funds can add scams and cyber-security to the long list of areas where the regulator will want to see improvement. And members who face the prospect of their money vanishing into the aether will move it to funds with better security arrangements.
The amount of money parked in APRA-regulated super funds was always going to attract unwanted attention, and for that reason the super industry should have been aware of it.
In an ironic twist, a phishing email – sent from a scammer purporting to be ACSI chair and HESTA chief Debby Blakey – was sent out to ACSI members on Wednesday, asking for payment so that ACSI’s annual conference could go ahead. Sources say it’s the second time it’s happened.
*The Conexus Institute is a not-for-profit think-tank philanthropically funded by Conexus Financial, publisher of Investment Magazine
