First State Super (FSS) responded appropriately to a breach of its data security last year, a report by privacy commissioner Timothy Pilgrim found.
The commissioner concluded that the fund and its administrator Pillar had breached National Privacy Principle 4.1, which states that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
But the commissioner also said the organisations had taken appropriate measures once they became aware of the problem.
"The commissioner acknowledges that upon becoming aware of this matter, FSS's administrative manager, Pillar and FSS itself acted immediately to contain the incident, commenced an internal investigation of the incident, reviewed data security practices and sought external advice on how to handle the situation," Pilgrim said.
"Consequently, the commissioner ceased his own motion investigation into this matter, on the basis that the response to this incident appears adequate in the circumstances."
The commissioner has closed the case.
In September 2011, security specialist and OSI Security principal consultant Patrick Webster, and former FSS member, was able to access the details of 568 other members.
But the report published yesterday revealed that the super fund's security systems were successful in identifying an issue with its server before FSS was contacted by Webster.
"Specifically, Pillar's website monitoring system did detect an abnormality in its server logs on the morning of the incident," Pilgrim said.
Commenting on the report's findings, FSS chief executive Michael Dwyer said: "We acknowledge the commissioner's finding that our data security at the time was inadequate, but it is important to understand that at no time was there any opportunity for fraudulent transactions to occur."
But Dwyer also said the incident was not taken lightly by the fund.
"Clearly the breach was not insignificant," he said.
"We have apologised to our members and they can have every confidence that their personal information and their accounts are subject to stringent security protocols including regular ongoing security testing and reporting by highly regarded, independent specialist IT security consultants."
