In what is being called a co-ordinated cyber attack, a number of Australia’s largest superannuation funds have suffered a breach with thousands of user accounts compromised.
So far, the super funds affected by the incident include Rest, Hostplus, Australian Retirement Trust, AustralianSuper, and Insignia, the owner of MLC.
While members of the affected super funds are being urged to check their accounts for suspicious activity, media reports suggest that the threat actors targeted accounts in the pension drawdown phase, as those accounts can request lump sum withdrawals.
Additionally, an anonymous finance expert speaking with Super Review sister brand Cyber Daily said that normal superannuation accounts are extremely difficult to withdraw from, resulting in pensioners becoming a likely target for the threat actors.
Rest CEO Vicki Doyle said that it detected the activity last weekend, adding that 1 per cent of its members, roughly 20,000, according to Sydney Morning Herald, were affected. However, The Australian Financial Review revealed that 8,000 accounts had been affected by the incident.
“Over the weekend of 29-30 March 2025, Rest became aware of some unauthorised activity on our online Member Access portal. We responded immediately by shutting down the Member Access portal, undertaking investigations and launching our cyber security incident response protocols,” Doyle said.
“At this stage, we believe that some of our members may have had limited personal information accessed and we are currently working through this with those impacted members.”
Doyle said that no Rest accounts have had funds taken out of them but told the Financial Review that data such as first names, email addresses, and member numbers may have been compromised.
Similarly, chief member officer for AustralianSuper, Rose Kerlin, said that it detected a spike in suspicious criminal activity last week.
“Over the past week, we have seen a spike in suspicious activity across our member portal and mobile app and we are urging members to take steps to protect themselves online,” Kerlin said.
“This week we identified that cyber criminals may have used up to 600 members’ stolen passwords to log into their accounts in attempts to commit fraud.
“While we took immediate action to lock these accounts and let those members know, there are things members can do right now to protect themselves online.”
A spokesperson for AustralianSuper told Cyber Daily that compromised accounts have been locked down with their owners contacted and that all accounts have had their capabilities restricted to prevent card and banking details from being changed. Additionally, AustralianSuper has contacted the office of the National Cyber Security Coordinator regarding the incident.
Speaking with the media, Insignia Financial said that the breach was the result of a credential stuffing incident.
“This activity, known as credential stuffing, involved an unusual number of login attempts targeting the Insignia Financial Expand platform. At this stage, we have not observed similar activity across any of our other customer facing platforms,” said a spokesperson for Insignia Financial.
“Our Cyber Security and Wrap Technology teams are actively working to apply additional monitoring and mitigations to protect customer accounts, and as a precaution we have taken steps to restrict some activities on the platform. Some customers will receive communications prompting them to reset their passwords when they next login to their accounts.”
Insignia said that impacted customers would be contacted and that there was currently no financial impact.
The Association of Superannuation Funds of Australia (ASFA) has said that connections between superannuation firms, government agencies, and financial services are critical in preventing future cyber attacks.
ASFA, in a statement on Friday, also said that security frameworks should be industry-wide and that super funds should engage in information sharing between themselves and critical service providers.
“In a rapidly evolving threat landscape there will always be new and emerging risks, but Australia’s super sector is proactively working together to improve system-wide defences, including through the ASFA Financial Crime Protection Initiative (FCPI),” said ASFA.
“ASFA convenes a regular sector-wide Cyber Security Threat Intelligence Working Group, which brings together industry leaders from across superannuation to respond to emerging cyber security issues.
“Through the FCPI, ASFA will imminently be releasing a Toolkit to ensure strong sector coordination in relation to cyber security.
“ASFA has also been heavily engaged with government consultations on strengthening Australia’s cyber security protection laws.”
