The Australian Prudential Regulation Authority said credential stuffing attacks had reinforced its concerns about “persistent weaknesses” in funds’ information security controls, particularly those related to authentication, in a letter to super funds on Tuesday.

Credential stuffing is a cyberattack that sees hackers attempt to log into accounts using username and password combinations exposed in previous data breaches.

“Although APRA has consistently emphasised the importance of robust cyber security, it is clear that current controls are not always commensurate with the evolving vulnerabilities and threats, nor with the criticality and sensitivity of the member data and assets they protect,” the regulator wrote.

“The weaknesses we observed, especially in authentication controls, indicate a gap between APRA’s expectations … and current industry practice.

“While APRA recognises RSE licensees’ efforts to improve their cyber defences, given the evolving threat environment, we expect to see faster and more holistic implementation of these critical controls, alongside robust capabilities to respond to cyber incidents.”

The latest credential stuffing attack, in late March and early April, targeted a number of the biggest funds including Australian Super, Australian Retirement Trust, Hostplus, Cbus and Rest, exposing weaknesses across the funds that collectively manage around $1 trillion in retirement savings.

AustralianSuper, the nation’s largest super fund with $360bn in assets, was the only fund to report losses. Hackers stole $750,000 from 10 AustralianSuper member accounts including $406,000 from a single account over a number of days.

That member, a 74-year-old Queensland woman, alerted the fund to the fraud after receiving letters in the post detailing some of the withdrawals. In total, six unauthorised withdrawals were made from her superannuation pension account over the space of a week from March 20.

Even after learning of the attack, the fund took days to lodge a formal fraud report with CBA, where the scammers had deposited the pensioner’s funds into so-called mule accounts. By then the money was long gone.

AustralianSuper has since fully reimbursed the 10 affected members, taking the $750,000 from the fund’s reserve pot.

At a minimum, APRA now expects entities to require multifactor authentication or equivalent controls for all high-risk activities such as changing member details, withdrawals and rollover requests, as well as for all administrative or privileged access.

MFA is a security measure that requires users to provide two or more forms of verification, such as a code sent to a phone or a fingerprint scan, making it much harder for scammers to access account information.

The regulator first warned funds they should adopt MFA to protect members as far back as 2023.

AustralianSuper last month con­firmed mandatory MFA was being rolled out in the coming weeks for all members with a registered mobile device.

As previously revealed by The Australian, while some funds have stepped up their security controls in recent weeks, others including Australian Retirement Trust and Cbus are moving slower, with multifactor authentication still not required for member logins. Neither fund was breached in the recent attack.

In late May, a Cbus spokesman said the fund was working on a program of enhanced security measures, including MFA at log-in: “We’re looking at how we can accelerate these in the coming months.”

ART, the nation’s second-biggest super fund, said it was considering an opt-out MFA function. “We’re focused on meeting members where they are, when providing digital protections, including options like MFA, and are continuing to work through how best to introduce an opt-out MFA process while limiting the impacts on member experience,” a spokesman said.

APRA has ordered super funds to perform a self-assessment of security controls and consider whether stronger controls may be needed in the evolving landscape. Where robust authentication controls have not been implemented or are deficient, APRA has ordered funds to submit a material control weakness notification and conduct a breach assessment by August 31.

Funds impacted by the recent breaches, meanwhile, will be required to undertake a special purpose engagement, as opposed to the self-assessment, to assess the adequacy and effectiveness of their authentication controls

More Coverage

Millions in super vulnerable as funds drag their feet on security

Cliona O’Dowd

Originally published as APRA takes aim at super funds over lax cyber security