Australian Super, Australian Retirement Trust, Hostplus and Rest – which collectively manage almost $1 trillion of savings on behalf of millions of Australians – were targeted in last week’s heist, along with Insignia-owned platform MLC Expand.

Four AustralianSuper customers lost $500,000 and while the fund is still investigating to see if any other money has been stolen, neither the AFP or the Office of the Australian Information Commissioner has kicked off any investigation into the cyber attack.

An AFP spokesman said the matter had not been referred to them as of Friday, while The Australian revealed AustralianSuper didn’t protect its members’ accounts using what is known as multifactor identification – the security standard many of the big banks use and advocate.

This has left the door open for potentially hefty financial penalties from the financial watchdog if it is found the super funds’ digital security systems were weak or insufficient.

It has also emerged cybercrooks in a separate attack last week, targeted industry leaders through a phishing scam.

Women in Super, a not for profit organisation which includes some super industry executives and representatives on its board, said it had been the target of an unsuccessful attack.

“We can confirm that a recent phishing attempt impersonating Women in Super office holders was unsuccessful and did not result in any breach or compromise,” a spokesperson said.

“We acted swiftly and responsibly, identifying the threat early and taking immediate steps to notify all relevant stakeholders. We remain vigilant and continue to prioritise the security of our systems and communications”.

But NSW Liberal Senator Andrew Bragg on Sunday blasted the industry for not doing enough to ensure members’ retirement savings were protected, as he took aim at the government response.

“The government doesn’t appear to be too fussed about it, and that worries me, but it’s consistent with how they approach these super governance issues,” Mr Bragg told The Australian.

“In terms of the super funds, there’s a board competency issue here which transcends cyber. It goes through everything to do with risk management.

“The super industry is way too relaxed about (the attack). If they had better quality-governance from the top, my sense is they would be treating this much more seriously than they are.”

Mr Bragg said Labor had not looked closely enough at the governance issue “because it doesn’t suit them politically”.

“These entities (super funds) are pretty much shell companies. They outsource investment management, they outsource insurance, they outsource administration. All they’ve got to do is comply with laws and engage in some decent risk management and a few other things.

And as a former internal auditor, I can only imagine what the risk and control matrix looks like, if it exists (at these funds),” he said.

Super Consumers Australia chief executive Xavier O’Halloran said he had flagged these vulnerabilities with the affected funds two years ago but his concerns were ignored.

“We’ve been raising this issue with ASFA member funds for at least the last two years. We did an audit (on risk) back at the start of 2023 and found that these vulnerabilities existed. The funds that have been affected (by this attack), we told them at the time (of these risks).

“It’s really disappointing that protections were not put in place, and that’s why people have lost money and been exposed to these threats.”

The hackers gained access to the accounts via a process known as “credential stuffing”, which involves using stolen usernames and passwords – some from previous cyber attacks – that are already circulating on the dark web.

The attackers exploit the fact that people often repeatedly use the same passwords for different accounts but companies that adopt multifactor authentication (MFA) can defend such strikes more effectively.

When asked why Australian Super didn’t already have multifactor authentication to protect accounts, a spokesman said the fund was aiming to improve its digital security.

He said Australian Super had two-factor authentication but not the more secure MFA, which requires two or more methods to verify identity.

“AustralianSuper has an ongoing program of improving and enhancing cybersecurity measures as the nature and variety of cyberattacks change regularly,” the spokesman said.

“We already require two-factor authentication for a number of key interactions that members currently have with their accounts, and we are enhancing a range of security processes across our platforms.”

Anne-Louise Brown – former director of policy at the Cyber Security Cooperative Research Centre and now head of strategy at Akin Agency – said the superannuation funds may face penalties from the Australian Prudential Regulatory Authority.

These include steep fines and other measures to bolster their digital defences.

“If adequate consumer cybersecurity protections are found to have not been adopted, the companies could face significant financial penalties,” Ms Brown said.

Indeed, after hackers infiltrated Medibank’s customer database in 2022 – publishing the personal details and health records of up to 9.7 million Australians being published on the dark web – APRA forced the health fund to set aside $250m as ‘insurance’.

The regulator said the penalty reflected “weaknesses” it identified in Medibank’s information security environment.

“The financial services sector is heavily regulated when it comes to cyber security,” Ms Brown said.

“Not only do they need to take reasonable steps to protect their data under the critical infrastructure regime, they also have obligations under APRA.”

Ms Brown said super funds capture a significant amount of sensitive personal financial data, heightening the risk of identity theft and fraud if a breach occurs.

“In terms of Australia’s critical infrastructure regime, superannuation funds are unique in that they are classed as critical infrastructure but are also owners and operators of critical infrastructure via their investments,” Ms Brown said.

“Changes to the Security of Critical Infrastructure Act also mean that personal data is captured by the legislation, which was previously not the case.

“While it will take a while to unpick the full scale of the breach and how it occurred, it is concerning that sensitive personal financial data was potentially breached. Therefore, victims need to be alert to the risk of identity theft and fraud.”

Brett Winterford, regional chief security officer at US identity verification giant Okta, said credential stuffing had become of the most common forms of attack against any company that offers a way to access accounts online

“When we see waves of attacks like these, the superannuation funds that enrol their users in multi factor authentication (MFA) fare much better. Even if an attacker’s script matches a credential pair successfully, the attacker still has to try to bypass an MFA challenge to access the user account,” Mr Winterford said.

“The reality is that a lot of consumers don’t want to enrol in MFA to log-in, even to access something as critical as superannuation funds, so funds sometimes need to rely on compensating (additional) controls.”

Mr Winterford said multifactor identification was also not one size fits all, so companies and customers should not be wary of using it.

“Once users are enrolled, the security team can dial the friction up and down as they see fit. They can choose to prompt the user at log-in, or only when they are logging in from a new location or device, or only to authorise transactions or when making changes to the account.”

He said security teams could also enable and enforce bot detection. “Services like Auth0 use machine learning algorithms to present a CAPTCHA challenge when they detect a request is likely to be a bot”.

Another way to make MFA more streamlined is using services that block or access known breached passwords.

“These features compare sign-ups or log-ins against lists of billions of known breached usernames and passwords. Organisations can decide to prevent a user from registering an account using one of these passwords, or to require existing users to reset their password,” Mr Winterford said.

A spokesperson for the Australian Federal Police said that as of Friday the hacking incident had not been referred to the agency.

Additional reporting Cameron England

Originally published as Australian super funds face steep fines after massive cyber attack