Money lost, accounts accessed: Super funds attacked using stolen passwords
By Sarah Danckert and Sumeyya Ilanbey
Thousands of Australians have had personal details fraudulently accessed, and several people lost hundreds of thousands of dollars as some of the country’s largest superannuation funds were hit by a co-ordinated cyberattack.
Australian Retirement Trust, AustralianSuper, HostPlus, Rest and Insignia Financial, which have a combined 11.7 million members and manage almost $1 trillion worth of assets, all fell victim to the attack after hackers obtained email addresses and passwords, most likely on the dark web.
There has been a co-ordinated cyberattack on AustralianSuper, Australian Retirement Trust, Rest, MLC and HostPlus. Credit: Monique Westerman
So far, only some AustralianSuper members have had money improperly withdrawn from their accounts, with the loss estimated at $500,000 for four customers. The other funds are assessing the extent of the attack on their members, but have so far not identified any financial impact.
AustralianSuper’s app crashed on Friday afternoon after members were advised to check their accounts and change passwords. While many were unable to log into their accounts, some were seeing their balances completely wiped out.
Some AustralianSuper members were seeing a “$0 balance” on their profiles.
An Australian Prudential Regulation Authority spokeswoman said any superannuation members who are concerned they have lost money should in the first instance contact their fund.
“Broadly, all super funds hold reserve funds, including the operational risk financial reserve, that could be used to support members in such circumstances,” a spokeswoman said. “Funds may also rely upon other sources such as insurance cover.”
AustralianSuper’s chief member officer, Rose Kerlin, said the fund had seen a spike in suspicious activity across its member portal and mobile app. The fund said that its members’ accounts were secure even if their balance showed $0.
“This week we identified that cyber criminals may have used up to 600 members’ passwords to log into their accounts in attempts to commit fraud,” Kerlin said.
“While we took immediate action to lock these accounts and let those members know, there are things members can do right now to protect themselves online.”
National Cyber Security Co-ordinator Lieutenant General Michelle McGuiness said she was working with the funds to assess the extent of the attack.
“I am co-ordinating engagement across the Australian government, including with the financial system regulators, and with industry stakeholders to provide cybersecurity advice,” McGuiness said.
The attackers appear to be familiar with the country’s superannuation system as they have mainly targeted people who are in the pension draw-down phase and can request lump sum withdrawals.
A cybersecurity industry source aware of the attack but not permitted to speak on the record said the amount of known losses had quadrupled within 24 hours, and based on an early assessment, the attackers were believed to be Australian-based.
Guy Haydon, 60, from Tallangatta in north-eastern Victoria near the New South Wales border, was one of the 8000 Rest members to receive a notification that his personal information had been improperly accessed. He said staff at the call centre could not answer any of his questions, and had asked for more personal information to confirm his identity.
“Why would I give them more information when they haven’t been able to keep my existing information private?” Haydon told The Age and Sydney Morning Herald.
REST member Guy Haydon from Tallangatta.Credit: Instagram
“I’m just so frustrated. I’ve just hit 60, so I’m at preservation age for super, it means that my savings can be accessed. When I got the email last night, it just scared the hell out of me.”
Rest Super chief executive Vicki Doyle said less than 1 per cent of its members – or about 8000 customers – were affected by the co-ordinated cyberattacks, and that no funds had been transferred out of members’ accounts.
While in the vast majority of cases, the attackers accessed “limited personal information”, they were able to see the account balances of about 20 Rest customers.
“Over the weekend of 29-30 March 2025, Rest became aware of some unauthorised activity on our online Member Access portal. We responded immediately by shutting down the Member Access portal, undertaking investigations and launching our cybersecurity incident response protocols,” Doyle said.
“At this stage, we believe that some of our members may have had limited personal information accessed, and we are currently working through this with those impacted members.”
RMIT cyber-security research and innovation professor Matt Warren criticised the $4.1 trillion superannuation industry for still not implementing multifactor authentication to better protect its members’ personal information and retirement savings.
Warren said while early indications had shown criminals did not drain thousands of Australians’ superannuation accounts, they had accessed personal information, including member numbers, that could be sold on the dark web.
“When you have weak authentication in a system, the consequence of someone gaining access to that system is they can now gain more information,” he said.
“The attacks occurred in the early hours of the morning, so the attackers logged in, changed people’s passwords and any related information so customers wouldn’t have been aware until they woke up. It’s an organised group who’s been planning this over weeks and months, and just implementing the attack now.”
According to assessments so far, the attack also affected about 200 Australian Retirement Trust members, but the criminals were unable to access any of their retirement savings, the fund said.
“We can confirm our digital security system identified unusual login activity and that impacted accounts were locked as a precaution, and members and regulators were notified,” a spokesman for Australian Retirement Trust said.
“We have not identified any suspicious transactions or modifications regarding these accounts.”
Insignia Financial, which owns the superannuation brands MLC and OnePath, confirmed “suspicious activity” on about 100 member accounts on the Expand platform, and that at this stage money had not been withdrawn. The fund’s Expand investment platform tends to be used by people working with financial advisers.
Expand chief executive Liz McCarthy said the fund had decided to restrict some activities on its platforms to protect customer accounts, and its preliminary investigations have shown the attackers were using “credential stuffing” – the practice of using leaked username and password combinations by exploiting the common practice of people reusing their passwords.
“Some customers will receive communications prompting them to reset their passwords when they next log in to their accounts,” the spokeswoman said.
Speaking on the campaign trail, Treasurer Jim Chalmers said authorities were working closely with the funds to “make sure we get to the bottom of what’s happening”, while opposition home affairs spokesman James Paterson said members who lost money in the cyberattack should be compensated for their losses.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.