An Alarming Cybersecurity Breach that effected vulnerable Australians and there retirement savings.
Australian super funds have been one of the last large institutions to adopt multi-factor authentication to their platforms. Why institutions that hold a combined total of $2.5 Trillion of Australians hard earned cash think they are immune to cyber attacks is beyond me.
This proved to be the case this past week whereby a barrage of simultaneous attacks on Australia major super funds during the dark of night, saw these cyber criminals walk away with a what has so far been disclosed as $500,000, but I expect the financial impact to be much more as the extent of the affected members come to light in coming weeks.
The attacks targeted several superannuation providers, including AustralianSuper, Hostplus, Rest, Insignia Financial the ASX-listed firm that owns the MLC Expand platform , and Australian Retirement Trust.
Although not hitting main stream media until Friday 4th April, it has been reported that Australian Super notified the government on Wednesday of its findings and it was promptly escalated to national cybersecurity co-ordinator Lieutenant General Michelle McGuinness, who has led the response. It was also discovered that Australian Retirement Trust Super Fund noticed suspicious activity on March 8 and had informed the government back then.
Although only discovered last week, we can only assume that these kind of unsophisticated attempts to break into these platforms has been going on for years, with or without success.
As expected, after the news was announced on Friday, an influx of traffic from super members eager to check their savings overwhelmed the platforms. This surge in traffic caused websites and apps across the country to crash. The issue affected not only the specific Superannuation Companies but all Australian Superannuation Companies. The system crashes led to additional frustration and confusion as many users who logged onto their platforms saw zero balances due to the overloaded systems, causing them to assume the worst and escalate the issue.
Super Consumers Australia boss Xavier O’Halloran said he raised security problems constantly with funds.
“We audited the security features of major funds two years ago and found significant vulnerabilities,” O’Halloran said. “We immediately informed the funds and their lobby groups of the findings. It’s shocking that two years later we are hearing reports of significant cyberattacks putting people’s retirement savings at risk.”
“Once again this sector has proven itself to be incapable of self-regulating to protect consumers.”
How do these credential stuffing attacks work ?
Credential stuffing attacks in Australia have become increasingly popular for unsophisticated hacking attempts since the vast amount of Australians personal information became available. With Australia having limited competition in certain sectors, attacks on these sectors yield a large amount of our data. Over the past few years we have seen a wake of data breaches from large corporations and institutions such as Optus, Medicare, Pubs, Clubs and other agencies loose our personal information.
Once this personal information becomes available on the Internet or dark web it is mass purchased and is data can then utilised to hack through websites and portal logins in an attempt to prove ownership of member accounts and gain access to member funds.
Much of this stolen data contains users passwords, which are still in many cases generic and widely used.
In this particular security breach the customer accounts of the elderly and retired where targeted as these accounts allow lump sum withdrawals and direct transfers of funds from the superannuation accounts to a bank account.
Although the exact number of members effected by the wake of this cyberattack is still unknown, early reports from the listed funds have been made public Friday afternoon. Australiansuper’s chief member officer said, 600 Australiansuper members accounts had been breached, while Insignia said 100 of its members’ accounts had been tampered with. REST reported 8000 affected accounts.
Whilst all effected super Platforms suggested clients take immediate action and change their passwords, this was of course impossible due to the already unresponsive servers, leaving clients with even more anxiety.
Who is responsible for these losses ?
AustralianSuper said its customers had lost $500,000, and while recovery efforts were underway, refunds were not guaranteed.
Opposition home affairs spokesman James Patterson said funds should reimburse any customers who lost money as part of the attack.
“No member should suffer a poorer retirement because of this breach”
The fact is there still isn’t clear regulations, laws and precedence’s in these matters. It doesn’t help when we hear form our prime minister Mr Albanese this week with comments like
“Bear in mind the context here – there is a cyberattack in Australia about every six minutes”
Normalising these security breaches isn’t the answer and in no way calms the average Joe. What we need is clear guidance and education on how these cyber attacks happen. This combined with stricter rules and regulations on how our data must be stored and stiff penalties for those not complaint.
In this particular instance it is understood the funds have left some regulators unimpressed with their cybersecurity and breach responses. John Lonsdale the current APRA chairman, told a conference in 2023 that funds had “foundational issues” with cybersecurity.
The then, APRA superannuation general manager Katrina Ellis said she was focused on protecting fund members from the “emerging and increasing risk” of cyberattacks. She was quoted saying in February of 2023 she said in February 2023.
“Luckily, there hasn’t been a material cyber incident in super so far, but our work highlights the need for a broader uplift in cyber risk management,”
The Association of Superannuation Funds of Australia said it had worked to increase cyber resilience across the industry by organising closer collaboration with the Australian government agencies and the information sharing between industry stakeholders.
It is unfathomable why financial system regulators require these platforms to adhear to striker guidelines in line with the banks and demand multi factor authentication to their online member access portal. Whereby members must receive codes and confirmation to their Email Addresses and phone number before allowing such transfers from their super account.
How can we prevent these attacks
We can of course never rid ourselves of cyber attacks and cyber breaches. In this modern age we are forever forced to have our private information stored on hundreds of company databases and platforms. It is impossible to not have your personal information recorded electronically, even if you don’t want to.
The onus comes down to the keeper of this data not the users of the platform or web site. They need to invest more time and resources into ensuring not only their platforms are secure, but more importantly their users are conducting themselves in a secure way.
Over the past few years we have heavily increased our spending and staff for the Australian Signals Directorate hopefully providing company’s with information and appropriate guidelines for their digital security system, is a top priority. As although parliament has passed company cyber security laws and privacy regulations, the guidelines and parameters of these are still unclear
“Platforms such as these must insist on having passwords scrutinised and changed regularly. “
The bare minimum ANY system must provide where your data is stored is
- Multi -Factor Authentication at least 2 Factor Authentication
- Password policies on unique password, length, strength and expiry time
- AI or other systems to continually monitor for suspicious transactions
- AI or other systems checking unusual login activity
- AI or other systems checking the originating IP of users
