Hackers have struck Australia’s most significant pension funds in coordinated attacks, stealing savings from some members at the biggest fund. The attacks have compromised more than 20,000 accounts. Michelle McGuinness, the National Cyber Security Coordinator, said she was aware of “cyber criminals” targeting accounts in the country’s A$4.2 trillion retirement savings sector.
She is organizing a response across the government, regulators, and industry. The Association of Superannuation Funds of Australia said “a number” of funds were impacted over the weekend. AustralianSuper, Australian Retirement Trust, Rest, Insignia, and Hostplus have all confirmed they suffered breaches.
AustralianSuper, the country’s largest fund managing A$365 billion for 3.5 million members, said that up to 600 member passwords had been stolen to access accounts and attempt fraud. We took immediate action to lock these accounts and let those members know,” said Rose Kerlin, AustralianSuper’s Chief Member Officer. According to a source, four AustralianSuper members had a combined A$500,000 drained from their balances and transferred to other accounts that did not belong to them.
Australian Retirement Trust, the second-largest fund managing A$300 billion for 2.4 million members, said it had detected “unusual login activity” affecting “several hundreds” of accounts. It locked impacted accounts as a precaution, though no suspicious transactions or changes were made.
Cyberattacks on pension funds
Rest Super, the default industry pension fund for retail workers with A$93 billion of assets under management, said it suffered an attack that impacted around 20,000 accounts, or around 1% of its 2 million members. “We responded immediately by shutting down the Member Access portal, undertaking investigations, and launching our cyber security incident response protocols,” said Rest CEO Vicki Doyle. Insignia Financial, which owns the pension fund MLC, said it detected “suspicious” login activity on 100 MLC Expand customer accounts.
MLC Expand CEO Liz McCarthy said there had been no financial impact on members at this stage. Hostplus, which has over 1.8 million members and A$115 billion under management, also confirmed it suffered an attack. A spokesperson said no member losses had occurred but that the extent of the incident was still being investigated.
Prime Minister Anthony Albanese said he had been briefed about the hacks and that there would be a “considered” response from government agencies soon. He added that such attacks were a “regular issue” in Australia, with one occurring every six minutes. Treasurer Jim Chalmers said the developments were “very concerning,” while shadow cyber security minister James Paterson called for funds to reimburse members who lost money from the attack.
Australia’s largest not-for-profit hospital and aged care provider, St Vincent’s Health, private health insurer Medibank, and telecom Optus have all suffered major breaches. In 2023, the government committed A$587 million to fund a seven-year strategy to improve the cybersecurity of citizens, businesses, and agencies.