Australian superannuation funds have been hit by attackers using stolen credentials to access members’ accounts.
AustralianSuper said that “up to 600” of its members were impacted by the incident, while Rest Super said that “less than one percent” of its members were impacted, which equates to somewhere less than 20,000 based on membership numbers from its most recent financial report [pdf].
Other funds were also reportedly caught up in the attack, but iTnews has not yet verified this. Comment is being sought.
Rest’s chief executive Vicki Doyle said in a statement that “unauthorised activity” was detected on its member access portal “over the weekend of 29-30 March”.
“We responded immediately by shutting down the member access portal, undertaking investigations and launching our cyber security incident response protocols,” Doyle said.
While crediting its “incident response protocols” for limiting the blast radius, the fund noted the incident “will be very concerning for the members who have been impacted and we are very sorry this has happened.”
Doyle said that no member funds were transferred out of accounts, but “limited personal information” was likely accessed.
“We are in the process of contacting impacted members to work through what this means for them and provide support,” Doyle said.
AustralianSuper’s chief member officer Rose Kerlin said it had “seen a spike in suspicious activity across our member portal and mobile app… over the past week”.
“This week we identified that cyber criminals may have used up to 600 members’ stolen passwords to log into their accounts in attempts to commit fraud,” Kerlin said.
“While we took immediate action to lock these accounts and let those members know, there are things members can do right now to protect themselves online.”
AustralianSuper urged members to log into their accounts “to check that their bank account and contact details are correct and make sure they have a strong and unique password that is not used for other sites.”
It also said it had been working with “the Australian Signals Directorate, the National Office of Cyber Security, regulators and other authorities” since the unauthorised access was detected.
National cyber security coordinator Lieutenant General Michelle McGuinness confirmed that “cyber criminals are targeting individual account holders of a number of superannuation funds.”
“I am working with agencies across the Australian government including with the financial system regulators, and with industry stakeholders to provide cyber security advice and coordinate the whole-of-government response to this incident,” McGuinness said in a statement posted to LinkedIn.
“The Australian Prudential Regulation Authority (APRA) and Australian Securities and Investments Commission (ASIC) are engaging with all potentially impacted superannuation funds to support safe outcomes for members.”
Other superannuation funds said they were aware of the incident and are attempting to determine whether or not they had exposure to it.
A HostPlus spokesperson said it is “actively investigating the situation to determine the facts and the extent of any impact to Hostplus.”
“Whilst the investigation remains ongoing, we can confirm that no Hostplus member losses have occurred,” the spokesperson said.
“Our top priority is the security and privacy of our members and their accounts, and we are taking all necessary measures to protect our systems and data.
“We understand the importance of transparency and will provide further information as it becomes available.”