Hackers have targeted Australian superannuation funds this week, the retirement savings industry’s peak body has said, with a number of funds having member data compromised.
The Association of Superannuation Funds of Australia (ASFA) said in a statement on Friday that hackers attempted to breach the cyber-defences of a number of superannuation funds last weekend, and while the majority of attempts were stopped, a number of companies were affected.
ASFA did not name them, but said funds were contacting all affected members to let them know if their data had been compromised.
“Retirement savers should be assured superannuation funds and their service providers already have rigorous cyber protections in place,” ASFA said in a statement.
A spokesperson for Rest superannuation fund said the attack had affected 8,000 of its members, with limited personal data exposed in the majority of cases, including first names, email addresses and Rest member numbers. The fund said there was a chance other data – including full names, addresses, account beneficiaries and account balances – could have been accessed for fewer than 20 members.
“Due to our incident response protocols, the impact has been limited to less than 1% of our members. Nevertheless, this will be very concerning for the members who have been impacted and we are very sorry this has happened,” Vicki Doyle, cheif executive at Rest, said.
“We are in the process of contacting impacted members to work through what this means for them and provide support. No member funds were transferred out of impacted members’ accounts due to these unauthorised access attempts.”
AustralianSuper confirmed it had been the victim of an attack, with passwords stolen from 600 members used to log into their accounts and attempt to commit fraud.
“Over the past week, we have seen a spike in suspicious activity across our member portal and mobile app and we are urging members to take steps to protect themselves online,” AustralianSuper’s chief member officer, Rose Kerlin, said.
“While we took immediate action to lock these accounts and let those members know, there are things members can do right now to protect themselves online.”
The fund advised members to log into their accounts to make sure their bank and contact details are correct, and ensure they use a strong and unique password for the account.
Australian Ethical said its analysis so far shows the fund was unaffected, but the attack has been exacerbated by reuse of passwords that have been in previous data leaks.
“While the reported attacks appear to involve the reuse of passwords exposed in earlier data breaches, we are not being complacent,” the fund said.
“We have multi-factor authentication for all members, and internal controls to protect members in these circumstances.”
Alastair MacGibbon, chief strategy officer at leading cybersecurity firm CyberCX, said the practice used by the hackers, known as credential stuffing, is on the rise.
“Credential stuffing is a growing threat to businesses and individuals and CyberCX is tracking an increase in these attacks,” he said.
“Nearly every Australian adult has been impacted by a data breach and criminals are using these breaches, often with automated scripts, to conduct credential stuffing attacks at scale.”
MacGibbon advised people to use strong unique passwords, and not to use the same password across multiple accounts. He said organisations should implement multi-factor authentication, and conduct data exposure assessments to find out where their credentials were available on the dark web.
ASFA said the industry was working together to improve system-wide defences, including establishing a hotline between the sector and relevant government agencies, improve information sharing, and developing frameworks to combat financial and cybercrime.
