Super hack a ‘wake-up call’ to make funds safe as a bank
By Brittany Busch and Michaela Whitbourn
Trillions of dollars in superannuation will be at risk of further cyberattacks until super funds boost their digital safeguards, according to one of Australia’s leading cybersecurity experts.
But he said account holders could take an important step to protect themselves against hacks such as this week’s breach in which criminals accessed thousands of Australians’ personal details and stole hundreds of thousands of dollars in superannuation.
Former eSafety commissioner Alastair MacGibbon says lack of communication from the super funds after the breaches caused panic and confusion.Credit: Dominic Lorrimer
Australian Retirement Trust, AustralianSuper, HostPlus, Rest and Insignia Financial, which have a combined 11.7 million members and manage almost $1 trillion worth of assets, all fell victim to the attack that came to light on Friday.
CyberCX chief strategy officer Alastair MacGibbon said the hackers were unlikely to be found and could strike again, but urged customers not to panic.
He said creating a unique and hard-to-guess password was a simple first step people could take to protect themselves.
“The trick is in the unique bit,” he said. “It needs to be different [to other accounts] because if one of those organisations loses data and my password, then it can be replayed by the criminals into other accounts that I have online.”
MacGibbon said the super fund hack appeared at this early stage to be an example of “credential stuffing”, a type of attack in which a user’s data and passwords were stolen from any one of their online accounts and sold on the dark web.
“In effect, if people use the same passwords for multiple accounts, it only takes one data breach for persistent and savvy criminals to gain unauthorised access to their other accounts,” he said.
“It could be from Medibank, it could be from Optus, it could be from Latitude. It could be from all the other breaches that you haven’t heard of.”
“They package [the data] up ... and they play it against other websites. In this case, they’ve gone after superannuation companies for good reason – because they’ve got money and they’re less well defended than a bank.”
But he said the super funds had a responsibility to protect the trillions of dollars of Australians’ earnings they managed, and called on the funds to increase their cybersecurity.
“They need to be thinking of themselves as the same as banks,” MacGibbon said. “Banks have put in place more security, and it’s time for the regulators to make sure that the superannuation companies are doing the same thing.”
MacGibbon said he was not aware what security measures the super funds had in place, but strong multifactor authentication may help.
The former eSafety commissioner said a common multifactor authentication method, in which a “secure” code is sent to an account holder via text message, would be useless if hackers could use a stolen password to access the superannuation account and change the registered mobile number.
App-based multifactor authentication is regarded as less vulnerable to attack than secure codes sent via text message.Credit: Istock
He said when the hackers then transferred the funds out, they would receive the multifactor authentication text message, not the account holder. Multifactor authentication through an app was more secure because it all happened within the one phone.
MacGibbon said the super fund hackers, who made off with about $500,000 of four AustralianSuper customers’ money, would likely transfer the stolen funds into smaller banks that allowed transfers into cryptocurrency exchanges, making it almost impossible to trace.
He said funds should also increase anti-fraud technologies that detect abnormal behaviour, such as if a regular contributor’s account suddenly changed phone number and address and requested money be paid out.
MacGibbon said a lack of communication from the super funds after the breaches caused panic and confusion for members, and prioritising transparency and immediately repaying any stolen money would increase consumer confidence.
“A lot of people tried logging into their accounts, and obviously the organisations couldn’t cope with that volume of traffic. People were either seeing zero balances or they were not able to get in, which is problematic. They’ve got to communicate.”
He said the attack was a sustained and large-scale fraud attempt, but it had not been a disaster.
“This is what I call a wake-up call,” he said. “But [the hackers] haven’t made off like bandits. They haven’t made off with millions of dollars … because there is some security in place.
“To individuals who’ve had their superannuation stolen, it’s not a small crime, of course, but they will get their money back ... There is not a superannuation company in Australia that would run the risk of saying ‘no, we’re not liable for that’. They would be playing with fire, and I will be first in the queue to condemn them.”
An Australian Prudential Regulation Authority spokeswoman said on Friday any superannuation members concerned they had lost money should contact their fund.
“Broadly, all super funds hold reserve funds, including the operational risk financial reserve, that could be used to support members in such circumstances,” the spokeswoman said. “Funds may also rely upon other sources such as insurance cover.”
Jonathan Steffanoni, managing partner at Melbourne-based law firm Legal & Prudential, said the “overarching context” was that the superannuation funds and members were “both victims of a crime”.
He said it appeared there had been a data breach under the Commonwealth Privacy Act, for which members might seek compensation via the Office of the Australian Information Commissioner. But there were limits on the compensation payable.
“That channel of redress is not designed to deal with instances of fraud,” Steffanoni said.
He said members whose funds had been stolen might also seek compensation by making a complaint to the trustee of their fund or the Australian Financial Complaints Authority.
However, Steffanoni believed it was “quite likely that the trustee and the members involved here will proactively come to some kind of settlement”. This would bypass a costly courts process and potentially also AFCA.
He said questions might arise about whether members had “contributed to some extent” to their loss by re-using passwords or not using two-factor authentication where available.
But in this case, there was still limited public information about exactly what had happened, Steffanoni said.
A spokesperson for Rest, one of the targeted super funds, on Saturday reassured members that no money had left their accounts.
”The security of our members’ accounts is our No.1 priority,” the spokesperson said.
Rest confirmed it had faced issues with its online member portal and app due to a high number of customer queries, and its call centre was also dealing with high call volumes.
“We’re sorry for the inconvenience and we appreciate our members’ patience,” they said.
Australian Retirement Trust, AustralianSuper, HostPlus and Insignia Financial declined to provide an update on Saturday.
With Ashleigh McMillan
Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.