Super funds waited five days to call police about cyber attack
The AFP have finally received a report into last week’s cyber attack on the nation’s biggest super funds, while Tony Burke has downplayed the heist, saying only ‘four people’ had money stolen.
A cyber attack into Australia’s biggest industry superannuation funds has descended into a farce with confusion among law enforcement agencies about who is leading an investigation into the raid.
Home Affairs Minister Tony Burke has attempted to play down the heist, saying only four people had money stolen. “That’s where that’s at,” he said.
The Australian Federal Police said on Wednesday it had received a report of a crime - five days after the cyber attack - and Victoria Police would lead in the investigation. But a Victoria Police spokeswoman said it was yet to formally investigate.
“Victoria Police is aware of a number of incidents where it appears superannuation accounts have been hacked. We are currently working with other law enforcement agencies and stakeholders to assess the available information,” she said late on Wednesday.
Cyber security experts say a criminal gang rather than a foreign state appears to be responsible for the attack on industry super funds that fleeced at least hundreds of thousands of dollars in Australian retirement savings. Criminals are reportedly looking to sell what they say are stolen credentials from super funds on the dark web.
Despite repeated warnings from Australia’s financial and corporate regulators to strengthen online security in the past two years, Mr Burke said he believed super funds were doing a good job.
“First of all, every business in Australia needs to be constantly upgrading its security, and any time that any business is attacked, then you need to make sure that you’re upgrading,” Mr Burke told Sky News.
He said cyber security co-ordinator Michelle McGuinness was “happy” with the funds’ response. “In terms of the number of people who have lost money at this point – and obviously there has been a process for them to have their funds reinstated – but
at the moment, we are talking about four people. That’s where that’s at.”
Opposition home affairs spokesman James Paterson has accused the government of failing to take the superannuation account breaches seriously. Mr Burke said: “Mr Paterson seems obsessed with, he judges everything in terms of national security by how much media you do.”
But one of the super heist’s victims, a 74-year-old Queensland woman, said scammers wiped more than $400,000 from her Australian Super account and AustralianSuper only remediated the money after receiving inquiries from this masthead.
AustralianSuper call centre staff failed to escalate the siphoning of her savings up the ranks when she contacted them on March 28 and repeatedly refused her requests to speak to fraud specialists in the following days.
AustralianSuper, which is headquartered in Melbourne, told The Australian on Tuesday afternoon that it had contacted the AFP to report the attack.
Cyber security experts say a criminal gang rather than a foreign state appears to be responsible for the raid, but attribution this early after an attack is fraught. Indeed, criminals are reportedly looking to sell stolen credentials on the dark web.
“Criminals monetise harm. They can steal money directly, they’ll steal things they can parlay for money, or they will do things that will lead you to money – like ransomware where they lock up computer systems and demand money,” CyberCX chief strategy officer and former government adviser Alastair MacGibbon says.
“In this case, it would seem criminals looking to either steal information related to superannuation accounts or use stolen information to try to gain access to superannuation accounts in order to get access to money.”
The Australian revealed at the weekend that AustralianSuper – which manages more than $365bn in savings and said it has “remediated” funds back to members – did not have multifactor authentication to secure accounts, unlike the big banks.
This allowed hackers to stage a heist known as credential stuffing, which involves using stolen usernames and passwords, some from previous cyber attacks.
AustralianSuper said it would repay the $500,000 to the four victims out of its operational risk reserve. This reserve is funded by member fees.
An AustralianSuper spokesperson said MFA will be launched next month. The fund had previously told members it expected it to be deployed within 18 months.
“We have accelerated the work that was already in train to introduce wider MFA controls and expect those to be fully in place across more member actions in May,” the spokesperson said.
“We are in the process of introducing two-factor authentication for logins on the web portal, which we expect will occur within a month. It is already in place for logins on the mobile app.”
Other funds caught in the attack include Australian Retirement Trust, Hostplus and Rest, along with Insignia-owned platform MLC Expand. Construction industry super fund Cbus was targeted in a similar attack days later.
The reason for the delay in contacting police is way the Australian Cyber Security Centre directs people and companies to report cyber crime. Unless there has been fraud, harm or a loss, reports are instead directed to the Australian Signals Directorate.
But a Department of Home Affairs spokeswoman said: “Investigations are a matter for law enforcement”.
The cyber attack comes after the Australian Prudential Regulation Authority – which regulates super funds – warned trustees almost two years ago that they expected them to secure accounts with MFA, saying it was one of the top “mitigation strategies to protect against cyber attacks”.
“The recent spate of high-profile cyber-attacks in Australia are a timely reminder to APRA-regulated entities to remain vigilant and to continue to take steps to reduce the likelihood and impact of cyber-attacks,” said APRA’s general manager for operational resilience Alison Bliss.
“Multifactor authentication is one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network and accessing sensitive information.”
The super funds face significant financial penalties from APRA if it found that their online defences were insufficient.
For example, after hackers infiltrated Medibank’s customer database in 2022 – publishing the personal details and health records of up to 9.7 million Australians being published on the dark web – APRA forced the health fund to set aside $250m as ‘insurance’.
The regulator said the penalty reflected “weaknesses” it identified in Medibank’s information security environment. Medibank is now set to be forced to hand investigative reports probing cyber attack to its customers who are suing the private health insurer.
The Australian Securities & Investments Commission warned super fund trustees in late January to strengthen their security, saying it exposed members to scams. But Association of Superannuation Funds chief executive Mary Delahunty dismissed ASIC’s warning at the time, declaring “superannuation funds are actually some of the safest places in the country to have your money”.
Hesta, which said it has not been breached and whose chair is former attorney general and health minister Nicola Roxon, introduced MFA as a mandatory security measure in February, saying it was an “effective way to protect your valuable information and accounts against unauthorised access by using more than one way — such as a password — to verify your identity”.
Add your comment to this story
Elon Musk’s private jet rules: no chit-chat, no help with gadgets
The Tesla billionaire has a set of guidelines for those who serve him onboard his aircraft, covering everything from temperature to fuel use.
Hunt for sausage dog goes hi-tech
Jared Karran is devoting his ingenuity, experience and psychological insight in pursuit of a fugitive unlike any other he has encountered in his police career.
To join the conversation, please log in. Don't have an account? Register
Join the conversation, you are commenting as Logout