“The AFP has not received a report of crime in relation to this matter,” a force spokesman told The Australian on Monday.

The AFP tracked down the Russian hacker who staged a massive cyber attack against Medibank in late 2022 and published the health records of millions of Australians onto the dark web.

Hackers staged the biggest cyber attack on the superannuation sector last week, launching strikes against AustralianSuper, Australian Retirement Trust, Hostplus and Rest, which collectively manage almost $1 trillion of savings on behalf of millions of Australians.

Cbus also revealed on Monday that it has been hit with an “unusually high spike in log-in attempts” following the hack.

“At this stage of our inquiries, there is no evidence that any financial losses have occurred for Cbus members,” the fund said.

The Australian Securities & Investments Commission told superannuation trustees – who are mainly union or employee group appointees – in late January that trillions of dollars of Australians’ retirement savings were at risk to data breaches and scams.

The Australian Prudential Regulatory Authority also urged the funds in May 2023 to adopt a tougher security measure known as multifactor authentication to protect members’ savings.

But The Australian can reveal that warning was also not heeded with Australia’s biggest super fund, AustralianSuper, telling customers it was yet to adopt MFA – effectively leaving the door open to hackers.

Association of Superannuation Funds chief executive Mary Delahunty dismissed ASIC’s warning, declaring “superannuation funds are actually some of the safest places in the country to have your money”.

“Australia’s superannuation account holders shouldn’t be alarmed: the sector is taking action now to future-proof against any potential risks, even though scams are incredibly rare in the superannuation sector,” Ms Delahunty said on the same day ASIC issued the warning and also criticised the regulator for publicly airing its concerns.

Just over two months later, hackers have now plundered hundreds of thousands of dollars in retirement savings.

But the federal government has attempted to play down the heist – unlike its strong criticism of a similar strike against Optus. Anthony Albanese said cyber attacks happen “all the time”.

A spokeswoman for the Department of Home Affairs said: “the National Office of Cyber Security is co-ordinating engagement across the Australian Government and with industry stakeholders regarding the issues impacting the superannuation sector”.

But she said “investigations are a matter for law enforcement”.

ASIC commissioner Simone Constant said super fund trustees “lacked many of the foundational anti-scam practices” and wrote to them in January urging them to upskill and strengthen the cyber defences of funds.

Four AustralianSuper customers lost $500,000 during last week’s heist, although the fund assured customers who were seeing a “$0 balance” on their profiles that they had secure accounts.

The hackers gained access to the accounts – in the same week criminals targeted executives in an impersonation scam – via a process known as “credential stuffing”. This involves using stolen usernames and passwords – some from previous cyber attacks – that are already circulating on the dark web.

Members ‘vulnerable’

Ms Constant said members who reach preservation age were particularly vulnerable to breaches and fraud, saying they face “fewer restrictions in accessing their funds” and “tend to have higher account balances”.

“These factors make them attractive targets,” Ms Constant said.

“Our recent review of trustees’ practices in preventing, detecting and responding to scams identified several areas of weak trustee practices.

“The review found that trustees were overly reliant on anti-fraud measures and had limited focus on the specific risks and harms associated with scams. For example, they focused on confirming that the person requesting a transfer was the member, rather than looking for flags to indicate that the member may have been tricked.”

The Australian Prudential Regulatory Authority told super funds in May 2023 that it expected them to use multifactor authentication (MFA) to protect members’ accounts against cyber attacks. But almost two-years later, they have been yet to deploy the key security measure.

The Australian revealed at the weekend that AustralianSuper didn’t use MFA – the security standard many of the big banks use and advocate.

This has left the door open for potentially hefty financial penalties from the financial watchdog if it is found the super funds’ digital security systems were weak or insufficient.

ASIC also has such powers and last month took corporate and government bonds specialist FIIG Securities to court, alleging it failed to have adequate cybersecurity measures for more than four years.

Lack necessary oversight

ASIC has been contacted for comment about the latest super fund cyber attack. But Ms Constant said in January, super fund trustees also did not have “oversight of their external administrators’ anti-scam and anti-fraud practices”.

“For example, in our engagement with trustees, they frequently referred in general terms to their administrators’ systems and processes, but sometimes lacked knowledge about key details. One of the trustees we engaged with was unable to identify whether its administrator undertook basic interventions, such as engaging with members over scams.

“Trustees in our review also lacked many of the foundational anti-scam practices.”

The Australian Financial Complaints Authority has also reported an increase in more sophisticated scam activity in the superannuation industry. AFCA said while the number of scam-related complaints in superannuation was still small, the loss claimed was sometimes very significant.

“Trustees generally reported that they had not seen many, if any, instances of scams impacting their members. Several trustees told us that this was the reason for their limited focus on scams,” Ms Constant said.

This was despite Ms Constant saying that superannuation trustees playing a “critical role in combating the risk of scams and fraud”.

“They are the first line of defence to trillions of dollars in members’ retirement savings.

“Across the whole financial system, technological innovations and data breaches – including breaches involving identity documents – continue to heighten the risk of scams and fraud.

“As banks, telecommunications providers and other financial service businesses increase their anti-scam and anti-fraud capabilities, superannuation trustees must do the same or risk becoming a soft target.”

Anne-Louise Brown – former director of policy at the Cyber Security Co-operative Research Centre and now head of strategy at Akin Agency – said investing in cyber security was about good governance.

“When it comes to security in our digitally connected world, and as spelled out in Australia’s critical infrastructure regime, organisations need to approach the issue holistically,” she said.

“This means considering physical security, personnel security and, arguably most importantly, cyber security. Given organisations’ reliance on digital systems to operate, cyber security is the backbone of connection and operations.”

Originally published as ‘Safest place to have your money’: super trustees dismissed warnings about cyber risk