Several large Australian superannuation funds were stung with a coordinated cyber-attack at the end of March that saw a handful of accounts drained and member data stolen.
In a warning for KiwiSaver providers to ensure digital security arrangements are up to date, the targeted hack saw some members of AustralianSuper – the biggest fund in the sector – lose their savings while other large providers, Rest, Hostplus, Insignia and Australian Retirement suffered outages.
According to media reports, the A$365 billion AustralianSuper saw four members lose a combined A$500,000 through the online attack.
Rest said in a release: “At this stage, we believe that some of our members may have had limited personal information accessed and we are currently working through this with those impacted members.”
The Association of Superannuation Funds of Australia (ASFA), the peak body for the industry, said in statement that “hackers attempted to get through the cyber-defences of a number of superannuation funds” at the end of March.
“While the majority of the attempts were repelled, unfortunately a number of members were affected,” the ASFA release says. “Funds are contacting all affected members to let them know and are helping any whose data has been compromised.”
The almost A$4 trillion Australian super industry has been warned by regulators to improve security arrangements.
For example, the Australian Securities and Investments Commission (ASIC) urged superannuation trustees to introduce stronger anti-scam and fraud-repellent measures in a letter sent this January.
“As banks, telecommunications providers and other financial service businesses increase their anti-scam and anti-fraud capabilities, superannuation trustees must do the same or risk becoming a soft target,” the ASIC letter says.
In 2023, John Lonsdale, chair of the Australian Prudential Regulation Authority (APRA), which oversees the super sector, also called out cyber-security as a key concern.
“Where an entity is found to be significantly wanting in its cyber preparedness, we are intensifying supervision, insisting upon remediation plans, and taking enforcement action such as capital overlays and potentially license conditions,” Lonsdale said.
APRA and ASIC have yet to issue statements on the latest super fund breach but Australian Prime Minister Anthony Albanese told media that the government “will respond in time.”
“We are considering what has occurred. Bear in mind, the context here, there is a cyber attack in Australia roughly every 6 minutes,” Albanese said. “This is a regular issue.”
While the roughly A$130 billion KiwiSaver market presents a smaller prize for online thieves, the 3.2 million members are undoubtedly a target for fraudsters.
To date, no scheme has reported any loss of member funds due to cyber-crime but in 2020 hackers broke into the Generate KiwiSaver system, exposing the personal details of about 26,000 members to theft.