Cbus caught up in super funds hack
Cybercriminals hacked into construction industry superannuation fund Cbus just days after Australia’s largest superannuation funds were hit by a co-ordinated cyberattack.
The $100 billion superannuation giant said on Monday it was not yet clear whether the attack against the fund was part of the hit that recently affected AustralianSuper, Australian Retirement Trust, Rest, Hostplus and Insignia Financial.
A Cbus spokesman said the fund noticed an “unusually high spike in login attempts” last week after some funds on Friday revealed they were hit by hackers between March 25 and March 26.
Cbus has joined the list of major Australian super funds targeted by hackers.Credit: Getty Images
“The unusually high spike in log-in attempts coincided with a time of significant market volatility, potentially causing increased member engagement,” the spokesman said.
“Out of an abundance of caution, the fund is investigating a small number of accounts that may have been impacted – including accounts where multifactor authentication was triggered in the hours before and after the spike event.”
Cbus said it had reported the attack to the Australian Prudential Regulation Authority at the weekend. The fund said its investigations so far indicated no funds had been transferred out of members’ accounts.
AustralianSuper on Friday reported a financial impact of the cyberattack on their members, with four people losing a combined $500,000.
AustralianSuper’s app crashed on Friday afternoon after members were advised to check their accounts and change passwords. While many were unable to log into their accounts, some were seeing their balances completely wiped out.
The attackers targeting the super funds appear to be familiar with the country’s superannuation system as they have mainly targeted people who are in the pension draw-down phase and can request lump sum withdrawals.
CyberCX chief strategy officer Alastair MacGibbon said at the weekend that the hackers were unlikely to be found and could strike again, but urged customers not to panic.
He added that the super fund hack appeared at this early stage to be an example of “credential stuffing”, a type of attack in which a user’s data and passwords were stolen from any one of their online accounts and sold on the dark web.
“In effect, if people use the same passwords for multiple accounts, it only takes one data breach for persistent and savvy criminals to gain unauthorised access to their other accounts,” he said.
with Brittany Busch and Michaela Whitbourn
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.