Hundreds of Australian superannuation accounts have been targeted by hackers in a coordinated online attack using stolen passwords over the weekend.
It is believed that attackers were targeting accounts that could deliver lump sum withdrawals.
Which superannuation funds were targeted?
Hostplus, Rest, AustralianSuper, Insignia Financial and Australian Retirement Trust are among the providers hit by the attack, which was confirmed on Friday by Australia's National Cyber Security Coordinator Lieutenant General Michelle McGuinness.
While some accounts were not breached, the Association of Superannuation Funds of Australia (ASFA) revealed "a number of members" had funds stolen and would be contacted by providers.
"While the majority of attempts were repelled, unfortunately a number of members were affected," the group said in a statement.
AustralianSuper — Australia's largest fund managing $365 billion for 3.5 million members — said as many as 600 of its accounts were targeted by the hackers who allegedly sought lump sum withdrawals.
The fund's chief member officer Rose Kerlin said criminals "may have used up to 600 members' stolen passwords to log into their accounts in attempts to commit fraud".
"Even though you may not be able to see your account, or you are seeing a $0 balance, your account is secure," the fund said, assuring members it is a temporary glitch.
However, SBS News understands four AustralianSuper customers have lost a combined total of $500,000.
Rest Super, the default industry pension fund for retail workers, with $93 billion of assets under management, said it suffered an attack that impacted around 20,000 accounts, or around 1 per cent of its two million members.
Rest said 8,000 accounts may have had personal information accessed but no member funds were transferred.
"At this stage, we believe that some of our members may have had limited personal information accessed and we are currently working through this with those impacted members," a Rest spokesperson said.
Insignia Financial, which manages $327 billion, also confirmed to SBS News that there had been "an incident involving a malicious third-party attempting to access online superannuation accounts".
"This activity, known as , involved an unusual number of login attempts targeting the Insignia Financial Expand platform," a spokesperson said.
It had detected suspicious activity on about 100 customer accounts but had not identified any financial impact.
Hostplus is investigating the incident and no member funds have been stolen, a spokesperson said.
Australian Retirement Trust, Australia's second-largest fund managing A$300 billion for 2.4 million members, said it had detected "unusual login activity" affecting "several hundreds" of accounts but no funds were lost.
"We have not identified any suspicious transactions or modifications regarding these accounts," a spokesperson for the Australian Retirement Trust said in a statement to SBS News.
Australian Ethical Super — which manages $13.26 billion for over 134,000 customers — sent a message to members on Friday saying its analysis so far showed it was unaffected.
How are authorities responding?
Superannuation and banking firms were working with government agencies to respond to the attack, McGuinness said.
"I am coordinating engagement across the Australian government, including with the financial system regulators, and with industry stakeholders to provide cyber security advice."
"Funds are contacting all affected members to let them know and are helping those whose data has been compromised," ASFA said.
Superannuation funds are urging their members to check accounts for signs of fraud, ensure their banking and contact details are correct, and change their password if it is not unique to their account.
Cybersecurity expert Matthew Warren said multi-factor authentication, requiring uniquely generated codes in addition to entering a password, needs to be implemented for every customer.
"This major cyber attack clearly highlights the weak authentication measures implemented by the Australian superannuation industry," the director of RMIT's cybersecurity centre said.
