So far, the super funds affected by the incident include Rest, Hostplus, Australian Retirement Trust, AustralianSuper and Insignia, the owner of MLC.
While members of the affected super funds are being urged to check their accounts for suspicious activity, media reports suggest that the threat actors targeted accounts in the pension drawdown phase, as those accounts can request lump-sum withdrawals.
Additionally, an anonymous finance expert speaking with InvestorDaily’s sister brand Cyber Daily added that normal superannuation accounts are extremely difficult to withdraw from, resulting in pensioners becoming a likely target for the threat actors.
Rest CEO Vicki Doyle revealed that they detected the activity last weekend, adding that 1 per cent of its members, roughly 20,000, according to The Sydney Morning Herald, were affected. However, The Australian Financial Review revealed that 8,000 accounts had been affected by the incident.
“Over the weekend of 29–30 March 2025, Rest became aware of some unauthorised activity on our online Member Access portal. We responded immediately by shutting down the Member Access portal, undertaking investigations and launching our cyber security incident response protocols,” Doyle said.
“At this stage, we believe that some of our members may have had limited personal information accessed and we are currently working through this with those impacted members.”
Doyle added that no Rest accounts have had funds taken out of them but told the Financial Review that data such as first names, email addresses and member numbers may have been compromised.
Similarly, chief member officer for AustralianSuper, Rose Kerlin, said they detected a spike in suspicious criminal activity last week.
“Over the past week, we have seen a spike in suspicious activity across our member portal and mobile app and we are urging members to take steps to protect themselves online,” Kerlin said.
“This week we identified that cyber criminals may have used up to 600 members’ stolen passwords to log into their accounts in attempts to commit fraud.
“While we took immediate action to lock these accounts and let those members know, there are things members can do right now to protect themselves online.”
A spokesperson for AustralianSuper told Cyber Daily that compromised accounts have been locked down with their owners contacted, and that all accounts have had their capabilities restricted to prevent card and banking details from being changed. Additionally, AustralianSuper has contacted the office of the National Cyber Security Coordinator regarding the incident.
Speaking with the media, Insignia Financial confirmed that the breach was the result of a credential stuffing incident.
“This activity, known as credential stuffing, involved an unusual number of login attempts targeting the Insignia Financial Expand platform. At this stage, we have not observed similar activity across any of our other customer facing platforms,” spokesperson for Insignia Financial said.
“Our Cyber Security and Wrap Technology teams are actively working to apply additional monitoring and mitigations to protect customer accounts, and as a precaution, we have taken steps to restrict some activities on the platform. Some customers will receive communications prompting them to reset their passwords when they next login to their accounts.”
Insignia added that impacted customers would be contacted and that there was currently no financial impact.
The Association of Superannuation Funds of Australia (ASFA) has said that connections between superannuation firms, government agencies and financial services is critical in preventing future cyber attacks.
ASFA, in a statement on Friday, also said security frameworks should be industry wide and that superfunds should engage in information sharing between themselves and critical service providers.
“In a rapidly evolving threat landscape, there will always be new and emerging risks, but Australia’s super sector is proactively working together to improve system-wide defences, including through the ASFA Financial Crime Protection Initiative (FCPI),” ASFA said.
“ASFA convenes a regular sector-wide Cyber Security Threat Intelligence Working Group, which brings together industry leaders from across superannuation to respond to emerging cyber security issues.
“Through the FCPI, ASFA will imminently be releasing a toolkit to ensure strong sector coordination in relation to cyber security.
“ASFA has also been heavily engaged with government consultations on strengthening Australia’s cyber security protection laws.”
