)
A "number of members" from superannuation firms have been affected by an attempted hack of cyber security defences across the industry last weekend, involving credential stuffing with leaked username and password combinations.
The Association of Superannuation Funds of Australia (ASFA) has released a statement claiming the majority of attempts were repelled, but there were some breaches and affected members were being contacted by their super funds to let them know, as well as help any whose data has been compromised.
"Retirement savers should be assured superannuation funds and their service providers already have rigorous cyber protections in place," the association said in a statement.
"In a rapidly evolving threat landscape there will always be new and emerging risks, but Australia’s super sector is proactively working together to improve system-wide defences, including through the ASFA Financial Crime Protection Initiative (FCPI).
"Through the FCPI, ASFA will imminently be releasing a Toolkit to ensure strong sector coordination in relation to cyber security."
It has been recommended by funds that members check their accounts for abnormal activity, set strong and unique passwords, enable multi-factor authentication (MFA), keep personal information up-to-date and be alert to phishing attempts.
Some super funds whose defences were not breached prefer not to state so publicly, but most responded with claims of no or minimal impact from the industry-wide cyber attack.
MLC Super owner Insignia Financial (ASX: IFL) reports the attack appears to be from a malicious third-party and involved credential stuffing with an unusual number of login attempts.
In MLC's case, these attempts were targeted at its Expand Platform and to date the group has not observed similar activity impacting other customer-facing platforms.
"We detected suspicious activity on around 100 Expand Wrap Platform customers’ accounts and at this stage there has been no financial impact to customers," says MLC Expand CEO Liz McCarthy.
"Our Cyber Security team are actively working to apply additional monitoring and mitigations to protect customer accounts. As a precaution we have taken steps to restrict some activities on the Expand Platform.
"Some customers will receive communications prompting them to reset their passwords when they next login to their accounts."
She says MLC is communicating with impacted customers and their advisers, and will continue to keep them updated.
"As is good practice, we encourage customers not to reuse the same credentials across multiple platforms and services, set strong and unique passphrases, and install software updates regularly to keep their devices secure," she says.
A spokesperson for the country's largest superannuation fund, AustralianSuper, says a high volume of traffic to its call centre, member online accounts and mobile app is causing intermittent outages.
"Even though you may not be able to see your account, or you are seeing a $0 balance, your account is secure," the spokesperson says.
"This is a temporary situation and we’re working hard to resolve it as quickly as possible. We apologise for any inconvenience."
AustralianSuper chief member officer Rose Kerlin says a recent spike in criminal activity detected by the fund is a timely warning for members to make sure their account details are correct.
“Over the past week, we have seen a spike in suspicious activity across our member portal and mobile app and we are urging members to take steps to protect themselves online,” Kerlin says.
“This week we identified that cyber criminals may have used up to 600 members’ stolen passwords to log into their accounts in attempts to commit fraud.
“While we took immediate action to lock these accounts and let those members know, there are things members can do right now to protect themselves online.”
Meanwhile, Australia's second-largest fund Australian Retirement Trust has not identified any suspicious transactions regarding impacted accounts.
"We can confirm our digital security system identified unusual login activity and that impacted accounts were locked as a precaution, and members and regulators were notified," a spokesperson says.
Rest Super's chief executive officer Vicki Doyle says that due to the fund's response protocols involving an immediate shut down of the member access portal on the weekend, the impact of the attack has been limited to less than 1 per cent of members. No money has left any accounts and the incident is restricted to approximately 8,000 members.
"Nevertheless, this will be very concerning for the members who have been impacted and we are very sorry this has happened," Doyle says.
"We are in the process of contacting impacted members to work through what this means for them and provide support.
"No member funds were transferred out of impacted members’ accounts due to these unauthorised access attempts."
Doyle says Rest believes some members may have had limited personal information accessed, and the fund was working through this with affected members.
"We will continue to keep our members updated and assist them with taking further steps to protect their accounts and personal information," she says.
A spokesperson for Hostplus has confirmed no member losses have occurred at the fund.
"Hostplus acknowledges reports of a cyber incident involving parts of the superannuation industry and understand that this may be concerning to some members," the spokesperson says.
"We are actively investigating the situation to determine the facts and the extent of any impact to Hostplus.
"Our top priority is the security and privacy of our members and their accounts, and we are taking all necessary measures to protect our systems and data."
Others such as AMP Super, Mercer Super, Cbus and Australian Ethical have stated on record that they have experienced no impacts to members.
"We are monitoring the situation closely and at this stage have not identified any evidence of a breach or any unauthorised activity on AMP's systems," an AMP spokesperson says.
Mercer Super has not identified any activity impacting members, employers or advisers. Recognising the seriousness of the current situation, our cybersecurity defence team together with our technology and operations teams continue to monitor the situation," adds a spokesperson for Mercer Super.
"We are aware of several super funds that have been impacted by the recent cyber-attacks, at this stage there is no evidence that Cbus members have been impacted," adds a representative for Cbus.
A spokesperson for Australian Ethical has encouraged all members to check their security settings to ensure they have set up multifactor authentication, their password is unique, and to look out for any changes to their account such as unusual emails or SMS, and authentication codes that they didn't request.
"Australian Ethical Superannuation has not been affected by the recent cyber-attacks," the spokesperson says.
"Since being informed of a potential issue experienced by other superfunds, we have implemented heightened monitoring to understand and mitigate any risk.
"Members can rest assured that the protection and security of their retirement savings is a priority, and we will continue to remain vigilant in the face of rising cyber-attacks."
Despite the assurances from numerous funds and the industry association, the head of Super Consumers Australia (SCA) claims the breach follows consistent warnings from the regulators and consumer advocates that the super sector as a whole is lagging on cyber-resilience and fraud and scam protections.
"Reports of this cyber attack on at least five big super funds are shocking and unsettling," says SCA CEO Xavier O’Halloran.
"This is people’s financial future at risk. And the details and extent of this attack are still emerging.
"Australians are legally required to put their money into super. Today’s news is chilling when we know super funds aren’t doing enough to protect Australians’ retirement savings."
Superannuation is currently not included in the new Scams Prevention Framework, which will lift protections for customers of banks, telecommunications providers and digital platforms.
“We’re calling on the next Government to urgently extend the new protections to safeguard Australians’ retirement savings against fraudsters, scammers and cybercriminals," O'Halloran says.
“The super system has no excuse to be unprepared. It’s time to meet community expectations and protect people’s money when it matters most.”
)
