Industry super funds are using outdated online defences that opened the door to a co-ordinated cyber attack and hackers helping themselves to Australian retirement savings, a key security expert who has been poring over the heist says.

A fund caught in the attack called Titanium Ventures-backed Cequence Security soon after the breach to install their artificial intelligence-powered cyber defence platform. The process, which would normally take about three months to complete, was performed within a day, The Australian can reveal.

The rapid launch of the security platform came after repeated warnings from financial and corporate regulators online security of Australia’s industry super funds was not up to scratch, leaving members’ savings exposed to scams and data breaches.

AustralianSuper alone confirmed on Friday afternoon that 10 of its members had lost a combined $750,000 in the hack. It said they had been reimbursed via a reserve funded by member fees and it would spend $190m on upgrading security this year.

The call to a cybersecurity firm is understood to have come before the super fund — which Cequence Asia Pacific and Japan manager Glen Maloney declined to name — reported the hack to police.

The Australian Federal Police confirmed on Wednesday — five days after the attack — it had received a report of a crime, although there was confusion about who would lead the investigation, with Victoria Police initially tapped.

Regardless, the AFP told The Australian the breach — which drained hundreds of thousands of dollars from some accounts — would be investigated. This is despite the federal government attempting to downplay the attack, with Anthony Albanese saying hacks happen “all the time” and Home Affairs Minister Tony Burke saying only “four people” had lost money.

Mr Maloney was confident had the system been installed earlier it could have prevented last week’s attack, which was most likely the work of AI-powered bots.

“No one’s going to go out and say that they 100 per cent would have — no cyber security vendor should — but we would have drastically reduced their risk,” Mr Maloney said.

“The blind spot that we have identified, and I think is a key strength of Cequence, is really the ability to use AI — not to fight the bots, mitigation and protections have been around for a long time — but its really to use AI to understand the application, the API, that’s typically used to connect the pieces together.

“The bad guys are getting smarter and using automation. They’ve got advanced AI and ‘bot as a service’ platforms that they can use against us. But what we’re really focusing on is the ability to use AI to understand that application.”

An API allows different software applications to communicate and exchange data and hackers can use such tools to stage sophisticated attacks.

For example, when a banking app displays your balance or a travel site pulls in your flight information, it’s an API doing the work. Mr Maloney said when left unsecured, APIs are easily exploited by automated bots.

He said in some cases, adversaries even misuse trusted aggregator APIs to carry out attacks. “These advanced threats require advanced protection”.

Cequence co-founder and chief technology officer Shreyans Mehta said: “Legacy protections like WAFs and API gateways weren’t built to stop this kind of activity”.

“You need defences that understand user behaviour, detect anomalies, and automatically adapt in real-time, using AI and machine learning, even when your security team is offline.

“When bot attack patterns similar to those seen in the recent super fund incidents emerged, Cequence’s AI-driven platform responded immediately, identifying malicious bots by. detecting subtle behavioural anomalies.

“The threats were neutralised in real-time without any reliance on third-party systems, well before they could affect real users or compromise systems.”

In the super fund raid, criminals used a technique known as credential stuffing, which involves using stolen usernames and passwords from previous breaches to break into accounts at scale.

“We identified suspicious activity in relation to around 600 of AustralianSuper’s 3.5 million member accounts. Cyber criminals may have used previously stolen identity information to attempt to access their AustralianSuper account to commit fraud,” Australian Super said.

Cbus, chaired by ALP national president and former treasurer Wayne Swan, revealed earlier this week it had also been hit with an “unusually high spike in log-in attempts”.

Other funds caught in the attack included Australian Retirement Trust, Hostplus and Rest.

Many of the super funds, including AustralianSuper, did not have what is known as multifactor authentication (MFA) to protect accounts — despite a warning two years ago from the Australian Prudential Regulation Authority.

AustralianSuper is now accelerating its plans to introduce MFA, saying it is expected to be live next month — about 18 months earlier than previous forecasts.

“We have invested more than $165 million this financial year to enhance our systems, building on the strong, layered controls and advanced multi-factor authentication that sit behind the platforms that members see and interact with daily,” a spokesman said.

“We will invest a further $190 million in the coming year, including to expand the use of multi-factor authentication for further interactions over the coming weeks.”

But, Mr Mehta said hackers can even bypass MFA.

He said bots were now capable of harvesting session tokens and reusing them to impersonate real users, highlighting the need to have AI to fight AI in a cybersecurity arsenal. Unsecured public Wi-Fi networks can increase the risk of circumventing MFA.

“By intercepting bots at the point of interaction, Cequence prevented account takeovers, data breaches, and downstream fraud.”

More Coverage

AusSuper’s six-day delay on cyber scam

Cliona O’Dowd

Call this safe, Mary? Super attack should be a woke-up call for funds

Jared Lynch

Originally published as Another key security flaw let hackers into super funds after trustees ‘ignored’ calls to upgrade online defences