Superannuation and Cyber Security – Are you safe?

Financial Newswire’s financial technology columnist, Andy Forbes analyses what occurred with respect to the cyber-attacks on multiple superannuation funds and how to counter such instances.

Across the last weekend in March 2025, malicious actors launched coordinated cyber attacks at many of Australia’s superannuation funds. Some of the biggest names in the sector were targeted such as AustralianSuper, Hostplus, Rest, Insignia Financial’s MLC Expand platform and Australian Retirement Trust.

The success of our superannuation industry and the market concentration of the big providers make it an attractive target for cybercriminals. So, what happened?

Australian Super reported the theft of $500,000 across ten members accounts. Rest has confirmed that whilst some members’ accounts were accessed, no member funds were illegally transferred.  Thankfully it’s a similar story with Hostplus, MLC Expand and Australian Retirement Trust – noting suspicious activity, potentially accessed accounts, and disruptions to service but no reports of lost money.

Whilst the full extent of the breach remains under investigation, information we have to date shows that this was not a technically sophisticated cyber-attack – planned yes, but technically sophisticated, no.  The hackers used a technique called ‘credential stuffing’ – where email addresses and passwords from previous unrelated breaches are used to attempt access to other systems. More simply, exploiting people that use the same passwords across different sites.  With this relatively unsophisticated approach hackers were able to gain access to accounts and caused panic and disruption to our superannuation sector.

The scale and simplicity of this attack raises the question: is Australia’s superannuation safe?

It is not a question asked lightly.  The idea that these funds could be accessed by hackers, bank details changed, and money stolen via credential stuffing is alarming.  If simple hacking methods work, what about more sophisticated threats?

To understand the landscape, it is important to step back and assess what is happening in the broader world of cyber security. Cybercriminals are no longer lone actors, some operating with the scale and co-ordination of professional enterprises. They use malware, dark web marketplaces, gaps in technology and mass automation to exploit system weakness.  Teams inside superannuation providers battle these threats with strict IT policies, minimum password lengths, enforced Multi Factor Authentication (MFA), regular capability audits, firewalls, web application firewalls (WAFs), anti-virus and other intrusion detection and prevention systems.

Sophisticated systems can be undone by gaps in any of the above areas.  In this incident there were two concerning lapses, firstly members using the same password across a number of sites, and secondly the lack of MFA in some superannuation member or adviser portals.

It is unfortunate that that being slow to enforce MFA on externally facing accounts might have undone  otherwise excellent cyber security programs within these funds.  Perhaps concerned the industry was not implementing MFA fast enough, in May 2023 APRA wrote a letter to their regulated entities reminding them of the importance of multi-factor authentication as security measure. Implementing security best practice is sometimes slower than it needs to be.

So, no, the hard reality is that we cannot just assume our superannuation accounts are safe.

A failure by either the individual, their adviser or the institution can be enough to let a hacker in.  The superannuation industry sometimes laments the “out of sight, out of mind” approach many Australians have to their super.  Sadly, this saying often also applies to Australians and digital security, until it is too late.

Security of your superannuation account is a shared responsibility. In an increasingly hostile cybersecurity environment individuals, advisers and institutions both need to play their role to keep superannuation safe.

At the individual level you should adopt strong, unique passwords.  In previous years security professionals would recommend using numbers, capitals, and symbols.  This is good, but password length matters more. To help you generate and manage these long unique passwords consider using a password manager.

Worried you might have re-used passwords already? Free tools like ‘have i been pwned’ let you check your email against known breaches.  Similarly modern web browsers like Chrome come with a password manager that can check your accounts for known breaches.

If MFA is optional on your financial systems – set it up.  In the unlucky event that your account is breached the MFA challenge will stop them in their tracks.

At the Adviser level, all the above applies but with the professional responsibility of looking after client accounts.  A breached adviser account that has the ability to trigger payments on behalf of clients could be an attack vector.

Then institutionally, super funds that were delaying MFA enforcement must accelerate their timelines. There are encouraging signs that all are taking this very seriously now.  More generally, these funds must continue to move from reactive to proactive measures – such as investing in dark web monitoring, increased intrusion detection, faster cyber incident responses and sharing of threat intelligence.  Finally, as the weakest link is often human behaviour superannuation funds need to play a role in educating their members, advisers and staff on cybersecurity.

Self-Managed Super Funds (SMSFs) present a unique security profile worth special consideration. By their very nature, SMSFs decentralise risk. Each fund has one or more dedicated bank accounts, and potentially multiple investment systems in use.  Each of these bring their own bank-level security.

This unusual structure of SMSFs, coupled with banking and investment platform security, can create a stronger defence posture. The option of multiple bank accounts means you can diversify your banking, and in turn reduce overall risk should a breach occur in one.

However, SMSFs are not immune. Their security depends on the vigilance of the trustees. This includes all the usual advice – understanding phishing threats, avoiding sign-in links via SMS or emails, never sharing MFA codes, and ensuring personal devices are up to date and protected. SMSF professionals in the supply chain play their part too, ensuring their systems are fortified with controls to prevent malicious behaviour.  Thankfully specialist SMSF software used by accountants such as SuperMate, BGL and Class have had MFA mandated by the ATO for many years now.

Whether industry, retail or self-managed, the recent attacks are a sobering reminder that the success of our superannuation industry makes it a big target.  Cyber criminals are actively looking for any weakness and once found will attempt to exploit at them scale. Safety requires that individuals get the basics right such as password hygiene and MFA.  Superannuation funds need to continue to invest in detection and defence of cyber security threats, whilst helping to educate users of their products on how to minimise their exposure.

Superannuation security should never be out of sight, out of mind. We all have a role to play to ensure the ongoing safety of Australia’s superannuation system.

Andy Forbes is Chief Technology Officer at Super Concepts.