The sophisticated campaign, which targeted some of the country’s largest superannuation funds – including AustralianSuper, Australian Retirement Trust, Hostplus, and Rest – marks one of the most high-stakes cyber thefts in Australian financial history.

But almost eight months later, authorities have not named the perpetrators, indicated their location, or publicly confirmed the investigation’s advancement.

Asked for an update on the case, an Australian Federal Police spokeswoman offered a terse response: “The AFP will provide an update at an appropriate time.”

The AFP-led Joint Policing Cyber Crime Co-ordination Centre is working with Victoria Police on the investigation. “As the investigation remains ongoing it would be inappropriate to comment further,” a Victoria Police spokeswoman said.

The collective silence from Australia’s top police agencies, and the funds themselves, fuels mounting concerns over the security and governance standards protecting the nation’s nearly $4 trillion retirement savings pool.

In April, the AFP initially stated they had not received a report of a crime four days after the attack, raising questions about the promptness of the funds in seeking law enforcement intervention.

While AustralianSuper did eventually report the attack, the episode has drawn muted responses from political leaders.

Anthony Albanese said hacks happen “all the time”, a position that starkly contrasts with the fierce accountability demands levied against telecommunication giant Optus after its own major breach in late 2022.

Given super funds are classed as critical infrastructure – and their investments own and operate other critical assets – the lack of political urgency on the issue is seen as alarming.

Four AustralianSuper members lost $500,000 during the attacks – money which the super giant said has since been remediated. But the breach exposed a critical vulnerability that has put Australians’ retirement savings at risk.

While authorities offer no details on the attackers, the security industry has pointed to the criminals’ likely methods.

Scott Caveza, a senior staff research engineer at Tenable, said that while no information about the perpetrators had been publicly released, the thefts had been largely attributed to “credential stuffing” attacks.

Credential stuffing involves using stolen usernames and passwords – some from previous cyber attacks – that are already circulating on the dark web.

The attackers exploited the fact that people often repeatedly use the same passwords for different accounts but companies that adopt multifactor authentication can defend such strikes more ­effectively.

“It’s possible that exposed credentials from other breaches or malware infections could have been part of the valid credential sets abused by the attackers,” Mr Caveza said.

He said the attacks revealed a fundamental flaw: the persistent overlooking of basic security measures such as MFA and strong passwords.

Mr Caveza urged financial institutions to evolve from treating breaches as merely “the cost of business” and to focus on proactive exposure management.

“We continue to see malicious actors evolve their tactics, but what remains constant is most attacks are financially motivated. As stewards of data, and often financial data, organisations must continue to improve and invest in proactive security measures,” Mr Caveza said.

“Waiting until after a breach and relying on post-compromise investigations means the damage has already been done and it can take weeks or months to recover, not to mention the financial impacts and impacts to brand value, customer loyalty and negative press.

“Staying ahead of these threats requires taking a proactive approach and looking holistically at your security posture.”

AustralianSuper, one of the primary targets, declined to comment on the investigation but detailed a significant investment in its defences.

“AustralianSuper protects members’ data and accounts through continuous investment in technology and cybersecurity. We spent $165m in the last financial year to strengthen our layered security controls and expanded multi-factor authentication for account logins,” the spokesman said. He said the fund – Australia’s biggest industry fund – was also “embedding AI in multiple layers of our security stack” and would continue to expand MFA and strengthen identity verification.

The attack has underscored systemic governance issues flagged by regulators. An Australian Securities and Investments Commission review found that super trustees often “lacked many of the foundational anti-scam practices that ASIC identified in relation to banks”, and the funds “did not have sufficient oversight of their external administrators’ anti-scam and anti-fraud practices”.

Trustees, the review found, often dismissed the threat, reporting they had not seen many scams impacting their members, thus limiting their focus.

As ASIC chair Joe Longo once warned, super funds are a “poster child for what can and does go wrong when governance fails”.

The co-ordinated theft, and the ensuing investigative silence, serves as a grim validation of that assessment, leaving hundreds of thousands in retirement savings vulnerable and demanding a complete overhaul of the sector’s security posture and accountability framework.

More Coverage

Scammers siphon $406,000 from pensioner’s AusSuper account

Cliona O’Dowd

Super funds face steep fines after key security flaw let hackers in

Cliona O’Dowd and Jared Lynch

Originally published as Police silent on any progress identifying cyber criminals who hit major super funds