Around 50,000 super funds have been compromised in a massive data breach that took place in May this year.
Spirit Super confirmed 50,000 member records were impacted following a broad phishing attack campaign.
The records date back to 2019 and 2020 and contain names, addresses, ages, emails, phone numbers, account numbers and balances.
However, dates of birth, government identification numbers, tax file numbers, driver’s licence details, or any bank account information were not compromised, says Spirit Super.
Members’ money was secure and all those affected have already been contacted.
How did this happen?
“The breach was the result of an email phishing activity rather than a system error, regardless, we are taking all reasonable steps to prevent this from happening again,” said a Spirit Super statement.
“Please be assured investigations to date indicate that accounts have not been compromised. We have increased the levels of security to ensure our members’ accounts remain safe. Our investigation will continue.”
The breach occurred after a staff member’s email account was compromised on 19 May.
“In short, it was human error during a malicious email attack posing as official correspondence,” the fund stated.
“This was not the result of a material security control weakness or technology failure. The malicious email resulted in a staff member’s password being compromised.”
Protective measures ‘not enough’
Multi-factor authentication, usernames and passwords were not enough to thwart this attacker, admitted the fund.
“Phishing attacks such as this are becoming increasingly sophisticated and common,” stated the fund.
“We have a skilled internal team focused on cyber security and protecting your information. This team detected the compromised account and acted quickly to contain and limit the impact of the breach. No further accounts or systems were impacted.”
Members should remain vigilant to unsolicited emails, text messages or phone calls and to report any suspicious matters to the ACCC’s Scamwatch, says Spirit Super.
Members advised not to ‘go public’ on data breach
The fund does not believe the attack was targeted or whether the attacker knows they had access to the personal information. It has also advised members not to share that their personal information has been leaked to help avoid being targeted.
“Spirit Super takes your privacy and the security of our information and systems extremely seriously. Online threats are constantly evolving, and no organisation can completely mitigate these risks,” said the fund.
“We continue to invest in internal capability, technology, improved internal processes, and staff training to reduce the likelihood and severity of future data breach events.”
Are you ever concerned your super fund can stand up to cyber-attacks? Why not share your thoughts in the comments section below?
If you enjoy our content, don’t keep it to yourself. Share our free eNews with your friends and encourage them to sign up.