Super funds open to cyberattack

Are your savings at risk? Funds are weak on security and have been told, again, to tighten up.

Keep Scam SAFE

Scammers are not just targetting your super. Sophisticated criminals have many ways to try to steal your money, and you need to stay one step ahead.   

And National Seniors Australian (NSA) has your back.  

For more information about keeping your funds secure and avoid being scammed, visit our Keep Scam SAFE page for tips.

Despite repeated warnings to boost their cybersecurity, super funds continue to fall short, resulting in the cyberattack earlier this year that hit five of the largest funds – AustralianSuper, Australian Retirement Trust, Hostplus, Rest Super and Insignia Financial’s MLC Expand platform. Cbus was also hit but has since reportedly said that its systems were not compromised. 

The hackers used a technique called “credential stuffing”, where they used details leaked in other incidents to get into accounts that may have the same passwords and exploit the target company’s lax authentication measures. 

AustralianSuper customers lost $750,000, which the fund has committed to reimbursing, but no other fund reported money stolen from accounts. At the time, the incident sparked a stern warning from financial regulators, to improve their security. 

Following the attack, members rushed to check if their accounts were safe, with websites crashing across the sector. 

The Australian Prudential Regulation Authority (APRA) says the attack exposed “persistent weaknesses in authentication practices across the superannuation industry”. 

APRA has reminded entities of their obligations under Prudential Standard CPS 234 Information Security and outlined specific actions to assess and strengthen authentication controls.

The regulator has written to all RSE (Registrable Superannuation Entity) licensee board chairs, reinforcing expectations around information security and the implementation of robust authentication controls.

What must funds do now?

Super funds must: 

  • Complete a self-assessment of their information security controls 

  • Ensure multi-factor authentication (MFA) or equivalent protections are in place for high-risk activities and privileged access

  • Notify APRA of any material control weaknesses or breaches

  • Identify their Accountable Person(s) under the Financial Accountability Regime (FAR) responsible for CPS 234 compliance. 

For fund members, a consequence of this mandatory tightening of security is likely to mean more complex fund and app login requirements. 

These will include additional security steps, firewalls and multi-authentication gateways, and password renewals. Better to be safer than sorry, I guess.  


Related reading: APRA, AFR

Author

John Austin

Policy and Communications Officer, National Seniors Australia

Latest news articles

We've got your back

With National Seniors, your voice is valued. Discover how we campaign for change on your behalf.

Learn more