A widespread and coordinated cyber attack against Australian super funds late last week rattled the public’s trust in the entities holding their retirement funds.
Accounts were fraudulently logged into, financial data was accessed, and some unlucky customers had their savings robbed by unscrupulous hackers.
The funds affected by the incident include Rest, Hostplus, AustralianSuper, Insignia’s Expand platform, and Australian Retirement Trust.
Speaking on the incident on Monday, Treasurer Jim Chalmers said both APRA and ASIC are engaging with all of the potential impacted super funds to support safe outcomes for members.
“On Friday, we convened the council of financial regulator agencies to get an update on their ongoing response to this incident as well. That’s working around the clock in response to the incident and it’s all about protecting fund members and improving security measures,” the Treasurer said.
Louis Droguett, CEO of Australian software firm Software@Scale, told InvestorDaily’s sister brand Cyber Daily on Monday that this wasn’t just an attack on individual funds, “it was an attack on the public’s trust in the superannuation system”.
“The industry needs to move beyond traditional security measures and adopt a collaborative approach to combating external threats. We need shared threat intelligence, playbooks, and proactive tooling to tackle credential-based attacks before they succeed.”
According to Droguett, the fact that the attack leveraged stolen credentials without ever needing to breach dedicated cyber defences is particularly worrying.
“These attacks weren’t about breaching firewalls; they exploited compromised member credentials, a clear blind spot in our cyber security landscape,” Droguett said.
“This isn’t a failure of multi-factor authentication or firewalls, it’s a failure to detect what’s already leaked. In fact, our team at Software@Scale regularly monitors malware logs collected from info-stealer campaigns and finds that most enterprises are compromised with significant risk without awareness.”
In other words, the scale of the threat should have been clear, but a lack of dark web monitoring led to all the signs of an imminent attack being ignored.
“The threat was visible but not acted upon,” Droguett said.
“This demonstrates a critical need for proactive dark web monitoring. Knowing when member credentials are compromised allows funds to take immediate action, before attackers can exploit them.”
Craig Searle – director, consulting and professional services (Pacific) and global leader of cyber advisory at Trustwave – highlighted the importance of managing supply chain risk and following proper data handling frameworks.
“Financial institutions play a vital role in maintaining trust through transparency and strong cyber defences, as they are prime targets for cyber crime due to the large volumes of sensitive data they handle,” Searle said.
“Several regulatory frameworks mandate the management of supply chain risks. In Australia, organisations must comply with legislation, including the Privacy Act 1988 and the Security of Critical Infrastructure Act 2018, which set requirements for data handling and cyber security measures.
“An effective cyber security framework should include prevention, detection and response measures. Financial institutions should also conduct ongoing and enhanced customer due diligence to manage risks and ensure compliance with regulatory standards.”
In a note sent to InvestorDaily on Monday, Insignia, which confirmed on Friday that the breach was caused by a credential stuffing incident involving an unusual number of login attempts targeting the Insignia Financial Expand platform, stated that there has been no new activity.
Liz McCarthy, the CEO of Expand, said: “The cyber security team are applying additional monitoring and have put in place further protections to safeguard customer accounts on the Expand platform.
“We have contacted all impacted customers and have not observed any new activity.”
A spokesperson for AustralianSuper told Cyber Daily on Friday that compromised accounts have been locked down with their owners contacted and that all accounts have had their capabilities restricted to prevent card and banking details from being changed. Additionally, AustralianSuper has contacted the office of the National Cyber Security Coordinator regarding the incident.
Meanwhile, ART downplayed the cyber breach via social media, stating that no suspicious transactions or changes to member accounts have been detected.
“We know there’s a lot going on at the moment that could lead you to be concerned about your super. And that’s completely understandable,” the fund said.
“The most important thing we can tell you is that ART is effectively managing the recent cyber events of the kind that have been happening to super funds.
“You will hear from us directly if we detect any unusual cyber activity on your account.”
