Tony Burke goes soft on Big Super as cyber attack sinks into farce
The AFP have finally received a report into last week’s cyber attack on the nation’s biggest super funds, while Tony Burke has downplayed the heist, saying only ‘four people’ had money stolen.
A cyber attack on Australia’s biggest industry superannuation funds has descended into farce amid confusion among law-enforcement agencies about who is leading an investigation into the raid.
Meanwhile, Home Affairs Minister Tony Burke has attempted to play down the heist, saying only four people had money stolen. “That’s where that’s at,” he said on Wednesday.
The Australian Federal Police said it had received a report of a crime – five days after the cyber attack – and Victoria Police would lead in the investigation.
But a Victoria Police spokeswoman said the force was yet to formally investigate.
“Victoria Police is aware of a number of incidents where it appears superannuation accounts have been hacked. We are currently working with other law enforcement agencies and stakeholders to assess the available information,” the spokeswoman said late on Wednesday.
Despite repeated warnings to the funds from financial and corporate regulators telling them to strengthen their online security, Mr Burke said he believed super funds were doing a good job.
“Every business in Australia needs to be constantly upgrading its security, and any time that any business is attacked, then you need to make sure that you’re upgrading,” he told Sky News.
He said cyber security co-ordinator Michelle McGuinness was “happy” with the funds’ response. “In terms of the number of people who have lost money at this point – and obviously there has been a process for them to have their funds reinstated – but at the moment we are talking about four people. That’s where that’s at.”
Opposition home affairs spokesman James Paterson has accused the government of failing to take the super account breaches seriously. Mr Burke said: “Mr Paterson seems obsessed … he judges everything in terms of national security by how much media you do.”
But one of the super heist’s victims, a 74-year-old Queensland woman, said scammers wiped more than $400,000 from her AustralianSuper account and AustralianSuper remediated the money only after receiving inquiries from this masthead.
AustralianSuper call centre staff failed to escalate the siphoning of her savings up the ranks when she contacted them on March 28 and repeatedly refused her requests to speak to fraud specialists in the following days.
AustralianSuper, which is headquartered in Melbourne, told The Australian on Tuesday afternoon it had contacted the AFP to report the attack.
Cyber security experts say a criminal gang rather than a foreign state appears to be responsible for the raid on industry super funds that fleeced hundreds of thousands of dollars in retirement savings. Criminals are reportedly looking to sell what they say are stolen credentials from super funds on the dark web.
“Criminals monetise harm. They can steal money directly, they’ll steal things they can parlay for money, or they will do things that will lead you to money – like ransomware where they lock up computer systems and demand money,” CyberCX chief strategy officer Alastair MacGibbon said.
“In this case it would seem criminals looking to either steal information related to superannuation accounts or use stolen information to try to gain access to superannuation accounts in order to get access to money.”
The Australian revealed at the weekend that AustralianSuper – which manages more than $365bn in savings and said it had “remediated” funds back to members – did not have multifactor authentication (MFA) to secure accounts, unlike the big banks.
This allowed hackers to stage a heist known as credential stuffing, which involves using stolen usernames and passwords, some from previous cyber attacks.
AustralianSuper said it would repay the $500,000 to the four victims out of its operational risk reserve. This reserve is funded by member fees.
An AustralianSuper spokesperson said MFA would be launched next month. The fund had previously told members it expected it to be deployed within 18 months.
“We have accelerated the work that was already in train to introduce wider MFA controls and expect those to be fully in place across more member actions in May,” the spokesperson said. “We are in the process of introducing two-factor authentication for logins on the web portal, which we expect will occur within a month. It is already in place … on the mobile app.”
Other funds caught in the attack include Australian Retirement Trust, Hostplus and Rest, along with Insignia-owned platform MLC Expand.
Construction industry super fund Cbus was targeted in a similar attack days later.
The reason for the delay in contacting police is the way the Australian Cyber Security Centre directs people and companies to report cyber crime. Unless there has been fraud, harm or a loss, reports are instead directed to the Australian Signals Directorate.
But a Department of Home Affairs spokeswoman said: “Investigations are a matter for law enforcement.”
The cyber attack comes after the Australian Prudential Regulation Authority warned trustees almost two years ago it expected them to secure accounts with MFA, saying it was one of the top “mitigation strategies to protect against cyber attacks”.
“The recent spate of high-profile cyber attacks in Australia are a timely reminder to APRA-regulated entities to remain vigilant and to continue to take steps to reduce the likelihood and impact of cyber attacks,” APRA general manager for operational resilience Alison Bliss said. “Multifactor authentication is one of the most effective controls an organisation can implement.”
The funds face significant financial penalties if APRA finds their defences were insufficient.
Former rival Plibersek says ‘air kiss’ for PM was act of hygiene; Treasurer tips ‘incredibly close’ election
Tanya Plibersek has tried to explain her awkward ‘air kiss’ with the PM as an attempt not to catch a cold and insists they are 'buddies'; Jim Chalmers predicts a close election result despite the Coalition slipping further in the latest Newspoll.
Greens put $46.5bn free uni proposal to Labor
Speaking from the Prime Minister’s electorate, the Greens will pledge to make university and TAFE free for all with a $46.5bn investment.