Recent disclosures concerning a major Australian financial institution have raised significant questions regarding the security protocols in place to protect the assets of its clientele.
It has emerged that specific security enhancements, commonly recognised as industry best practices, had not been universally implemented for account holders before a serious cyber incident.
This situation has subsequently led to reported instances of unauthorised access and the potential loss of considerable funds for some individuals.
It has come to light that just weeks before a devastating cyber attack, the superannuation fund giant had denied requests from its members to implement a critical security measure: multi-factor authentication (MFA).
This security lapse has resulted in cybercriminals making off with substantial sums of retirement savings, including a staggering $406,000 from one pensioner’s account.
The concept of multi-factor authentication is not new, and it’s widely regarded as a cornerstone of digital security. MFA requires users to provide multiple verification forms before gaining access to an account, such as entering a password followed by a unique code sent to their phone.
Matt Warren, an RMIT Centre for Cyber Security Research and Innovation director, said, ‘Multi-factor authentication is a key issue. The problem that a lot of the superannuation funds face is what to do with older Australians.’
This additional layer of security makes it significantly harder for unauthorised individuals to breach accounts, even if they have obtained a user’s password.
Despite the known benefits of MFA, two AustralianSuper customers reported that their requests to set up this security feature were rejected.
One of these customers, Seth Rappe from Western Sydney, found the lack of MFA particularly concerning, given that he had already been involved in a previous data breach.
He had taken the prudent step of securing all his bank accounts and emails with MFA and was surprised to find that AustralianSuper did not offer the same level of protection.
‘When I noticed that they didn’t offer that, I thought it was pretty strange for a large company,’
Perth retiree Sunny Sardana said he was ‘flabbergasted’ when his request for MFA was turned down last year. AustralianSuper assured him that all necessary security controls were in place to mitigate the risk of cyber attacks and unauthorised access.
However, the subsequent cyber attack that compromised accounts through ‘credential stuffing’ —a technique where stolen usernames and passwords are used to gain unauthorised access—has proven those assurances insufficient.
The cybercriminals responsible for the attack reportedly obtained the data they needed to access AustralianSuper accounts from the dark net, where stolen customer information, including usernames and passwords, was available for purchase.
This breach has highlighted the vulnerability of older Australians in particular. ‘If people were of a certain age, people could then start to extract funds from that pension or try to source personally identifiable information,’ Warren said.
The Financial Services Council, recognising the urgency of the situation, has recommended that multi-factor authentication systems be mandated for its superannuation members by July 2026. Alternatives such as biometrics and one-time passwords are also being considered.
In the wake of the attack, other super funds like Cbus have reported heightened security activity, with Cbus confirming an ‘unusually high spike in log-in attempts’ following the incident.
While Cbus has not reported any financial losses, it is investigating accounts that may have been affected, particularly those where MFA was triggered around the time of the attack.
AustralianSuper, the only fund to report stolen money, has pledged to refund members whose funds were stolen, with remediations to be made from fund reserves.
This commitment, however, is of little consolation to those who have already suffered significant financial and emotional distress due to the breach.
The incident serves as a stark reminder of the importance of robust cybersecurity measures, especially for organisations entrusted with safeguarding individuals’ life savings.
As our lives become increasingly digitised, the need for vigilant security practices, including the widespread adoption of multi-factor authentication, has never been more critical.
For AustralianSuper customers and members of other superannuation funds, this event is a wake-up call to review their account security settings and demand better protections from their providers.
It’s also a reminder to change passwords regularly, monitor account activity, and stay informed about the latest cybersecurity threats.
As we continue to navigate the complexities of the digital age, one thing is clear: the security of our personal and financial information must be a top priority.
It’s time for superannuation funds and other financial institutions to step up and ensure their customers are not left asking, ‘Am I at risk without this crucial protection?’
Also read: Australian superannuation funds hit by cyber attacks, with members’ money stolen
