More than a week after she first noticed the money was missing, the super giant still had given no assurances on whether it would cover the loss.

Six unauthorised withdrawals were made from her superannuation pension account over the space of a week from March 20, totalling $406,000. The money was sent to five different Commonwealth Bank accounts set up by the scammers.

The pensioner, who asked to remain anonymous, was only made aware of the fraud when she received two separate letters from AustralianSuper confirming successful withdrawals of $20,000 and $100,000 on March 21 and March 24. The letters were received on March 28, more than a week after the first lot of money was siphoned from her account.

She immediately contacted the fund to inform them these transactions were not authorised. But days later, AustralianSuper had still not raised any fraud report with CBA.

AustralianSuper has confirmed to The Australian that she is one of the four members it has identified as victims of a co-ordinated cyber attack launched against some of the nation’s largest funds in recent days.

AustralianSuper, Australian Retirement Trust, Hostplus and Rest – which collectively manage almost $1 trillion of savings on behalf of millions of Australians – were targeted in the heist, along with Insignia-owned platform MLC Expand.

AustralianSuper has told its members it had seen a “spike in suspicious activity across a small number of members’ online accounts in the week to April 4, but the latest revelations show scammers were accessing member accounts for days before the “spike”. Indeed, the timeline suggests AustralianSuper had no idea of the mass attack until victims alerted them to the crime.

AustralianSuper then froze the account, but the damage was done, with 90 per cent of the pensioner’s life savings lost. Eighteen days after criminals first began looting from her account, and 10 days after AustralianSuper was informed of the fraud totalling more than $400,000, the fund on Monday confirmed it would cover the losses and has since remediated her account. Confirmation came shortly after The Australian made enquiries with the fund on the case.

“We have now thoroughly investigated the incidents in which money was transacted out of a member’s account and all of those are being remediated. Remediations will be made from fund reserves,” AustralianSuper chief member officer Rose Kerlin said.

“We became aware of a spike in suspicious activity on March 27 and 28 and took immediate action to lock accounts and investigate.”

The latest crisis to hit the superannuation sector comes after a wave of scandals that have battered the industry and highlighted a gaping hole in member services and protections.

While the other funds impacted have confirmed ‘suspicious activity’ on accounts in recent days, the prudential regulator told others in the industry to come forward by Monday if they had similarly been targeted by scammers. Cbus confirmed late on Monday that it had seen a spike in log-in attempts late last week, with 85 of its member accounts impacted.

To date, AustralianSuper is the only fund to confirm member losses – $500,000 across four members so far – but there could be more: the fund is still going through the 600 accounts breached to see if there are any other victims.

If it compensates members, it will do so through its bulging operational risk reserve, which it has built up in recent years. The reserve is funded by member fees.

AustralianSuper, the nation’s largest super giant with assets under management of $360bn, failed to protect its members’ accounts using what is known as multifactor identification – a security standard many of the big banks use and advocate.

This has left the door open for potentially hefty financial penalties from the financial watchdog if it is found the super funds’ digital security systems were weak or insufficient.

Separately, regulators may pursue the chief executives and other key management personnel of the funds if they are found to have breached their legal obligations but at AustralianSuper, CEO Paul Schroder’s pay will remain untouched due to a quirk of the Financial Accountability Regime that now applies to the super industry.

The FAR, jointly administered by ASIC and the prudential regulator and aimed at improving risk governance culture, has been in place for banks for the past year but was extended to the superannuation and insurance industries only last month.

A key component of the regime is that it forces funds to defer a portion (40 per cent) of executives’ variable remuneration as insurance against future failings.

Unlike most other funds, AustralianSuper’s CEO does not have a variable component to his pay, meaning he can face no direct financial consequences under the regime. Variable remuneration at AustralianSuper only applies to the investment team.

The latest scandal highlights failures in cyber security at some of the nation’s biggest financial institutions and comes months after ASIC wrote to super funds urging them to bolster their online security, warning “weak” protection exposed members’ retirement savings to data breaches and fraud.

Association of Superannuation Funds chief executive Mary Delahunty dismissed ASIC’s warning, declaring “superannuation funds are actually some of the safest places in the country to have your money”.

“Australia’s superannuation account holders shouldn’t be alarmed: the sector is taking action now to future-proof against any potential risks, even though scams are incredibly rare in the superannuation sector,” Ms Delahunty said at the time.

Originally published as Scammers siphon $406,000 from pensioner’s AustralianSuper account