Australian Super, Australian Retirement Trust, Hostplus and Rest – which collectively manage almost $1 trillion of savings on behalf of millions of Australians – were targeted in the cordinated attack.

Four AustralianSuper customers lost $500,000 during the strike, although the fund assured customers who were seeing a “$0 balance” on their profiles that they had secure accounts.

The hackers gained access to the accounts via a process known as “credential stuffing”, which involves using stolen usernames and passwords – some from previous cyber attacks – that are already circulating on the dark web.

The attackers exploit the fact that people often repeatedly use the same passwords for different accounts but companies that adopt multifactor authentication (MFA) can defend such strikes more effectively.

But Australian Super told customers that it did not employ MFA and expects to deploy such security within the next 12-18 months.

When asked why Australian Super didn’t already have multifactor authentication to protect accounts, a spokesman said the fund was aiming to improve its digital security.

He said Australian Super had two-factor authentication but not the more secure MFA, which requires two or more methods to verify identity.

“AustralianSuper has an ongoing program of improving and enhancing cybersecurity measures as the nature and variety of cyberattacks change regularly,” the spokesman said.

“We already require two-factor authentication for a number of key interactions that members currently have with their accounts, and we are enhancing a range of security processes across our platforms.”

Anne-Louise Brown – former director of policy at the Cyber Security Cooperative Research Centre and now head of strategy at Akin Agency – said the superannuation funds may face penalties from the Australian Prudential Regulatory Authority.

These include steep fines and other measures to bolster their digital defences.

“If adequate consumer cybersecurity protections are found to have not been adopted, the companies could face significant financial penalties,” Ms Brown said.

Indeed, after hackers infiltrated Medibank’s customer database in 2022 – publishing the personal details and health records of up to 9.7 million Australians being published on the dark web – APRA forced the health fund to set aside $250m as ‘insurance’.

The regulator said the penalty reflected “weaknesses” it identified in Medibank’s information security environment.

“The financial services sector is heavily regulated when it comes to cyber security,” Ms Brown said.

“Not only do they need to take reasonable steps to protect their data under the critical infrastructure regime, they also have obligations under APRA.”

Ms Brown said super funds capture a significant amount of sensitive personal financial data, heightening the risk of identity theft and fraud if a breach occurs.

“In terms of Australia’s critical infrastructure regime, superannuation funds are unique in that they are classed as critical infrastructure but are also owners and operators of critical infrastructure via their investments,” Ms Brown said.

“Changes to the Security of Critical Infrastructure Act also mean that personal data is captured by the legislation, which was previously not the case.

“While it will take a while to unpick the full scale of the breach and how it occurred, it is concerning that sensitive personal financial data was potentially breached. Therefore, victims need to be alert to the risk of identity theft and fraud.”

Brett Winterford, regional chief security officer at US identity verification giant Okta, said credential stuffing had become of the most common forms of attack against any company that offers a way to access accounts online

“When we see waves of attacks like these, the superannuation funds that enrol their users in multi factor authentication (MFA) fare much better. Even if an attacker’s script matches a credential pair successfully, the attacker still has to try to bypass an MFA challenge to access the user account,” Mr Winterford said.

“The reality is that a lot of consumers don’t want to enrol in MFA to log-in, even to access something as critical as superannuation funds, so funds sometimes need to rely on compensating (additional) controls.”

Mr Winterford said multifactor identification was also not one size fits all, so companies and customers should not be wary of using it.

“Once users are enrolled, the security team can dial the friction up and down as they see fit. They can choose to prompt the user at log-in, or only when they are logging in from a new location or device, or only to authorise transactions or when making changes to the account.”

He said security teams could also enable and enforce bot detection. “Services like Auth0 use machine learning algorithms to present a CAPTCHA challenge when they detect a request is likely to be a bot”.

Another way to make MFA more streamlined is using services that block or access known breached passwords.

“These features compare sign-ups or log-ins against lists of billions of known breached usernames and passwords. Organisations can decide to prevent a user from registering an account using one of these passwords, or to require existing users to reset their password,” Mr Winterford said.

Originally published as Super funds face steep fines after key security flaw let hackers in