CFOtech Australia - Technology news for CFOs & financial decision-makers
Australia
Guides
#
artificial intelligence
#
data analytics
#
digital transformation
#
fintech
#
healthtech
Search
Story image
#
MFA
#
Physical Security
#
Cybersecurity

Super fund cyberattacks highlight risks to Australian savings

Today
Author image
By Melania Watson, Interview Editor

Several major Australian superannuation funds have reported cyberattacks that compromised thousands of member accounts, raising concerns regarding the security of retirement savings.

In April 2025, AustralianSuper and Rest were among the super funds affected by a series of credential stuffing attacks attributed to cybercriminals leveraging stolen usernames and passwords from previous, unrelated data breaches.

According to investigations, the perpetrators used automated bots to test thousands of breached email and password combinations in an effort to gain unauthorised access to superannuation accounts.

These credentials are often purchased from the dark web or sourced from historical leaks involving other online services such as shopping platforms or streaming sites.

Once inside an account, the attackers either redirected funds or harvested sensitive personal information, which could be used for identity theft. Authorities and the affected funds identified that in some instances, SMS-based two-factor authentication (2FA) was bypassed by means of SIM swapping and social engineering tactics.

Approximately AUD $500,000 was siphoned from the compromised accounts before the activity was detected and halted. The breach was swiftly met with a response from both the financial sector and government regulators, with the Australian Prudential Regulation Authority (APRA) and superannuation providers moving to strengthen security controls.

Credential stuffing, the technique used in the attacks, involves using lists of previously exposed credentials to gain unauthorised access to other accounts. One vulnerability highlighted by cybersecurity authorities is the common practice of password reuse across multiple services. According to Cyber Security Centre data, over 80% of account breaches globally involve reused credentials.

Credential stuffing allows hackers to exploit scenarios where, for example, the password linked to a person's streaming service is identical to that used for their superannuation account. If the streaming service suffers a breach, those credentials are then potentially valid elsewhere, giving cybercriminals a means to infiltrate accounts holding larger sums or valuable personal information.

The incident underscores the attractiveness of superannuation accounts to malicious actors.

According to industry observers, several factors contribute to this: superannuation accounts often hold substantial balances but see infrequent legitimate access by members, making illegal activity harder to spot quickly. In addition to savings, these accounts store a wide range of personal data valuable to identity thieves. The Australian Competition and Consumer Commission (ACCC) reported more than AUD $24 million was lost to superannuation-related scams in 2024.

Borderless CS, a cybersecurity firm based in Australia, has described the breach as a reminder of the need to prioritise credential security. A spokesperson noted, "These attacks remind us that protecting people's futures starts with protecting their credentials."

Superannuation funds such as AustralianSuper have responded by reviewing authentication procedures, improving fraud monitoring capabilities, and issuing advice to account holders. Cybersecurity firms are recommending techniques including continuous threat detection, monitoring for compromised credentials on the dark web, and making multi-factor authentication (MFA) compulsory across all financial accounts.

In response to the breaches, APRA is working closely with superannuation providers to standardise authentication processes and commission independent security audits across the sector.

Account holders are being encouraged to take several immediate steps to strengthen their security.

The recommended measures include using a dedicated password manager to generate and store unique, strong passwords; avoiding password reuse across accounts; and enabling MFA, preferably using dedicated authentication apps rather than SMS codes, which can be more vulnerable to bypass techniques.

Industry experts and authorities stress that even those whose super funds have not been directly impacted should assume a proactive approach. The possibility remains that stolen credentials from unrelated breaches might already be circulating within criminal networks.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Radware secures record cloud security deal with US financial giant
Primer launches initiative to help start-ups optimise payments
Microsoft quarterly results lifted by AI & cloud revenue gains
Australian enterprises increase investment in digital trust
PentenAmio merger targets secure global cyber defence growth
Top stories
Australian firms lag in attack surface risk management tools
Revolut reports record profits in Australia & globally for 2024
ANZ to launch password-less web banking with enhanced security
Lumify Group wins top cyber security training award for 2025
FinTech Australia unveils 2025 Finnie Awards finalists list