Super funds could face hefty fines after hundreds of Aussies were hacked in 'coordinated' cyberattack

Some of Australia's largest superannuation funds could beryllium slapped with exorbitant fines aft reportedly failing to supply members with multi-factor authentication. 

The country's biggest money AustralianSuper, which has astir 3.5million members, was among those targeted connected Friday pursuing reports a cache of passwords had been stolen.

Industry ace funds Australian Retirement Trust incorporating QSuper and Sunsuper, REST and Hostplus were affected on with Insignia Financial, arsenic proprietor of MLC. 

The funds whitethorn present look terrible penalties from the Australian Prudential Regulatory Authority (APRA), according to erstwhile manager of argumentation astatine the Cyber Security Cooperative Research Centre, Anne-Louise Brown.

'If capable user cybersecurity protections are recovered to person not been adopted, the companies could look important fiscal penalties,' Ms Brown told The Australian.

The adept referenced the large cyberattack connected Medibank successful 2022 which saw personal accusation of 9.7million Australians stolen.

After an investigation, APRA forced Medibank to allocate $250million arsenic 'insurance', reflecting 'weaknesses identified successful [its] accusation information environment'.

'The fiscal services assemblage is heavy regulated erstwhile it comes to cyber security,' Ms Brown said.

'Not lone bash they request to instrumentality tenable steps to support their information nether the captious infrastructure regime, they besides person obligations nether APRA.

'While it volition instrumentality a portion to unpick the afloat standard of the breach and however it occurred, it is concerning that delicate idiosyncratic fiscal information was perchance breached.'

Ms Brown warned that Australians impacted by the cyberattack need to beryllium alert to the hazard of individuality theft and fraud.

AustralianSuper member, Samantha Burns, told Daily Mail Australia connected Friday that she had alerted her ace money successful precocious February astir being hacked.

'I phoned AustralianSuper connected the 27 February 2025, telling them erstwhile I logged into my account, the equilibrium was zero,' she said.

'They said its astir apt an upgrade and to hold and re-log on. I tried that, aforesaid thing, zero balance.

'I rang aggregate times aft that, and was told, the occupation was being fixed by the IT department. So it's not conscionable successful the past week.'

AustralianSuper has declined to remark connected Ms Burns' case.

The union-backed manufacture ace money said it was moving with the Australian Signals Directorate and the National Office of Cyber Security to resoluteness the issue.

It is urging each members to log connected to their relationship to cheque their slope relationship and interaction details are close and guarantee they person a beardown password that hasn't been utilized for different sites.

REST main enforcement Vicki Doyle said the ace money noticed unauthorised enactment during the past play of March and responded by shutting down the subordinate entree portal - aft 8,000 accountants were affected.

MLC Expand main enforcement Liz McCarthy told the Australian Securities Exchange a malicious 3rd enactment had engaged successful 'credential stuffing' wherever a hacker collects idiosyncratic names and emails.

'We detected suspicious enactment connected astir 100 Expand Wrap Platform customers' accounts and astatine this signifier determination has been nary fiscal interaction to customers,' she said connected Friday.

A Hostplus spokesperson said nary funds had been stolen. An Australian Retirement Trust spokesperson besides said it was capable to halt suspicious transactions.