About half a million dollars was taken from retirement accounts in an early April cyber attack on Australia’s largest superannuation funds, information first shared by an anonymous inside source that provided details to the media. A number of individual funds, such as AustralianSuper and Australian Retirement Trust, have since individually confirmed that they suffered breaches that involved some of their members.
The full scope of the cyber attack remains unclear, but some of the breached parties have provided details that indicate a relatively small amount of accounts were breached. That nevertheless includes about 20,000 accounts at one fund, and at least 600 at another.
Cyber attack spread damage across numerous individual retirement accounts
The Association of Superannuation Funds of Australia members comprise the largest superannuation funds in the country, with the absolute biggest of these consisting of several million members each. The industry group has confirmed that an unspecified number of its members were hit by data breaches, and some of those individual members have come forward to independently confirm their own cyber attacks.
An inside source initially told the media that about 20,000 accounts in total were compromised. Rest Super, which handles superannuation funds for retail workers, said that it experienced about that same amount of breached accounts in its cyber attack. That constitutes about 1% of its two million members. It is unclear how much it lost, but the company manages some $93 billion in assets.
Other major superannuation funds that independently confirmed cyber attacks include AustralianSuper, Australian Retirement Trust, Insignia and Hostplus. Most of these have a similar or larger member count and handle comparably large amounts of assets, but have either not disclosed how many members were breached or have said that only several hundred were impacted. AustralianSuper confirmed that about 600 member passwords were stolen, totalling about AUD 500,000 in losses known thus far. Australian Retirement Trust said that it found suspicious login activity occurring for about 100 accounts, and Insignia Financial issued a similar statement but said that it has not seen any thefts from those accounts as of yet. HostPlus confirmed a cyber attack but did not provide specific numbers and has not seen evidence of theft from customer accounts as of yet.
Some victims may have also had personal information taken. The Association of Superannuation Funds of Australia said that impacted funds would be contacting these individuals. The full scope of this is unclear, but Rest said that only first names, email addresses and member numbers were exposed for all but 20 victims. That smaller number might have had full names, addresses, and account beneficiaries and balances exposed.
Superannuation funds reassure clients of cybersecurity protections
The news caused a rush of clients checking on their superannuation funds, in some cases finding a balance of $0 or being unable to log in. AustralianSuper said that in most cases this was due to a “glitch” and member funds were secure outside of the reported AUD 500,000 loss from about 600 specific accounts.
Another superannuation fund that has reported attempts but no damage, Australian Ethical, says that it sees evidence of passwords leaked in prior data breaches being used by the hackers. The group said that it nevertheless has instituted mandatory multi-factor authentication and added “internal controls” for improved cybersecurity.
Though more information about the different cyber attacks would be useful, the attack appears to be a credential stuffing campaign at this point. That has raised some concerns about the general state of security of superannuation funds in the country; ABC News Australia reports that several clients of AustralianSuper had been asking the company for an MFA option in the weeks before the attack and had been told it was not necessary, despite a recent Financial Services Council recommendation that MFA be mandatory for all of these companies by July 2026.
Australians are particularly sensitive about financial account security and personal data after a long string of large data breaches across the country now stretching back several years, one that was bad enough to prompt major and immediate reform moves by the government. That included major telecom firm Optus, health insurer Medibank and health care provider St Vincent’s Health, a collection of cyber attacks that spurred the government to overhaul its outdated privacy laws and commit over half a billion AUD to a seven-year plan to improve general cybersecurity.
National Cyber Security Coordinator Michelle McGuinness responded to media reports of the cyber attacks by saying that a coordinated government response is being organized, a statement backed up by Prime Minister Anthony Albanese. The Association of Superannuation Funds of Australia said that it will be participating in this effort by setting up a hotline to connect the impacted funds with industry organizations and government entities, and that it will be releasing a toolkit for participating parties to improve coordination.
