By CAITLIN POWELL FOR DAILY MAIL AUSTRALIA

Published: 04:59 BST, 5 April 2025 | Updated: 05:05 BST, 5 April 2025

Some of Australia’s largest superannuation funds could be slapped with exorbitant fines after reportedly failing to provide members with multi-factor authentication. 

The country’s biggest fund AustralianSuper, which has about 3.5million members, was among those targeted on Friday following reports a cache of passwords had been stolen.

Industry super funds Australian Retirement Trust incorporating QSuper and Sunsuper, REST and Hostplus were affected along with Insignia Financial, as owner of MLC. 

The funds may now face severe penalties from the Australian Prudential Regulatory Authority (APRA), according to former director of policy at the Cyber Security Cooperative Research Centre, Anne-Louise Brown.

‘If adequate consumer cybersecurity protections are found to have not been adopted, the companies could face significant financial penalties,’ Ms Brown told The Australian.

The expert referenced the major cyberattack on Medibank in 2022 which saw personal information of 9.7million Australians stolen.

After an investigation, APRA forced Medibank to allocate $250million as ‘insurance’, reflecting ‘weaknesses identified in [its] information security environment’.

‘The financial services sector is heavily regulated when it comes to cyber security,’ Ms Brown said.

AustralianSuper, which has roughly 3.5 million members, was one of five super funds targeted by hackers after reports a cache of passwords were stolen (stock image)

AustralianSuper, which has roughly 3.5 million members, was one of five super funds targeted by hackers after reports a cache of passwords were stolen (stock image)

AustralianSuper member, Samantha Burns, told Daily Mail Australia she had alerted her super fund in late February about being hacked (stock image)

AustralianSuper member, Samantha Burns, told Daily Mail Australia she had alerted her super fund in late February about being hacked (stock image)

‘Not only do they need to take reasonable steps to protect their data under the critical infrastructure regime, they also have obligations under APRA.

‘While it will take a while to unpick the full scale of the breach and how it occurred, it is concerning that sensitive personal financial data was potentially breached.’

Ms Brown warned that Australians impacted by the cyberattack need to be alert to the risk of identity theft and fraud.

AustralianSuper member, Samantha Burns, told Daily Mail Australia on Friday that she had alerted her super fund in late February about being hacked.

‘I phoned AustralianSuper on the 27 February 2025, telling them when I logged into my account, the balance was zero,’ she said.

‘They said its probably an upgrade and to wait and re-log on. I tried that, same thing, zero balance.

‘I rang multiple times after that, and was told, the problem was being fixed by the IT department. So it’s not just in the past week.’

AustralianSuper has declined to comment on Ms Burns’ case.

As funds responded to the cyberattack, an Australian Retirement Trust spokesman said it was able to stop suspicious transactions (stock image)

As funds responded to the cyberattack, an Australian Retirement Trust spokesman said it was able to stop suspicious transactions (stock image)

The union-backed industry super fund said it was working with the Australian Signals Directorate and the National Office of Cyber Security to resolve the issue.

It is urging all members to log on to their account to check their bank account and contact details are correct and ensure they have a strong password that hasn’t been used for other sites.

REST chief executive Vicki Doyle said the super fund noticed unauthorised activity during the last weekend of March and responded by shutting down the member access portal – after 8,000 accountants were affected.

MLC Expand chief executive Liz McCarthy told the Australian Securities Exchange a malicious third party had engaged in ‘credential stuffing’ where a hacker collects user names and emails.

‘We detected suspicious activity on around 100 Expand Wrap Platform customers’ accounts and at this stage there has been no financial impact to customers,’ she said on Friday.

A Hostplus spokesman said no funds had been stolen. An Australian Retirement Trust spokesman also said it was able to stop suspicious transactions.

:
Super funds could face hefty fines after hundreds of Aussies were hacked in ‘coordinated’ cyberattack

***
Read more at DailyMail.co.uk