AustralianSuper confirmed that of the 600 members who had their superannuation accounts accessed in a cyberattack earlier this month, 10 suffered a financial loss totaling A$750,000 ($474,433).
“Our investigation into this criminal act found a total of 10 members had a combined [A]$750,000 transferred out of their accounts, which were fully reimbursed this week,” AustralianSuper officials said in a statement released late Friday. “These members have been offered expert and independent support through IDCARE, which provides tailored advice and assistance in cyber incidents. Chief member officer Rose Kerlin spoke directly to a number of these members [earlier this week].”
“AustralianSuper’s systems remained secure in this incident, but we acknowledge the distress it has caused and thank members for their ongoing patience as we continue to work directly with those affected,” the statement continued.
AustralianSuper CEO Paul Schroder said while criminals were able to access member accounts, the fund was not “hacked.”
“I want to be clear that AustralianSuper was not hacked,” Schroder said in a statement. “Criminals used stolen passwords and personal identity information from other sources to access accounts to commit fraud. Unlike other recent cyber incidents reported in the media over the last few years, cyber criminals did not access our systems.”
At this stage, it appears AustralianSuper was the only super fund at which members suffered a financial loss.
A spokesperson for Rest Super confirmed to Financial Standard, a sister publication of CIO, that while there was suspicious activity on Rest member accounts, no money was lost.
“No money was transferred out of Rest member accounts as a result of this incident,” the spokesperson said. “We have contacted impacted members to provide support.”
Hostplus also confirmed that no financial losses had occurred. Australian Retirement Trust has not provided an update since the fraud was made public on April 7, though at the time, the fund stated it had not identified any suspicious transactions.
Speaking at an industry event, Association of Superannuation Funds of Australia CEO Mary Delahunty confirmed the incident was being investigated by police and government authorities.
“We can say that cyber criminals undertook a coordinated, well-funded and sophisticated attack, attempting to access the retirement funds of Australians using stolen [or] approximated email addresses and passwords to log in—a process known as credential stuffing,” Delahunty said. “The superannuation sector is taking this extremely seriously, as we should. Australians place enormous trust in the super system and rightly expect that their retirement savings will be safe and protected. When that trust is tested, it must be taken seriously.”
This article originally appeared in our sister publication, Financial Standard, which, like CIO, is owned by ISS STOXX.
Tags: Association of Superannuation Funds of Australia, Australiansuper, Cyber Security, Mary Delahunty