Australian-Super Breach

Australia's largest superannuation fund, AustralianSuper, is facing scrutiny after it emerged that customers had raised concerns about security vulnerabilities, specifically the lack of multi-factor authentication (MFA), weeks before a significant cyberattack. The attacks resulted in hundreds of thousands of dollars being stolen from members' retirement savings.

Two AustralianSuper customers have come forward, revealing they had explicitly requested MFA as a security measure but were denied. Seth Rappe, a horticulturalist from western Sydney, stated that he contacted the fund last month to inquire about MFA, only to be told it was not offered. "I was just going through all my accounts because, you know — obviously — scams and stuff," he said. "And I actually emailed them, and I was like, 'Do you guys offer multi-factor authentication, because I can't seem to set it up. And they're like, 'No, we don't offer that.'"

​

Rappe, who uses MFA on all his other accounts, found this lack of security "pretty strange for a large company." Just weeks later, AustralianSuper was hit by a cyberattack affecting approximately 600 of its 3.4 million members.

Another customer, Sunny Sardana, a retiree in Perth, also reported raising the issue of MFA with AustralianSuper last year. He was told that it wasn't necessary for account logins, only for "high-risk transactions" like withdrawals. "I was flabbergasted," Sardana said. "They said actually they didn't feel it was necessary, and they had other ways of stopping people from accessing things, such as getting your money out — that's where the real security came in."

Cyber experts have identified the attacks as "credential stuffing," a relatively unsophisticated form of fraud that exploits stolen usernames and passwords. They emphasized that MFA is a crucial safeguard against such attacks.

AustralianSuper has reportedly pledged to reimburse affected customers from fund reserves, including a pensioner who lost $406,000. However, the fund has not responded to specific questions from the ABC regarding the security concerns raised by customers.

Other super funds, such as HostPlus and Rest, have also been impacted by the recent cyberattacks. HostPlus stated that their safeguards, including MFA, prevented any financial losses. Rest reported that while no funds were stolen, the personal details of 8,000 members were accessed. Australian Retirement Trust and Hesta reported they were not affected.
​
The incident has highlighted the vulnerability of the multi-trillion-dollar superannuation industry and prompted calls for urgent implementation of robust security measures, particularly MFA. The Financial Services Council had previously recommended mandating MFA systems for superannuation companies by July 2026.
As members like Erle Williams, who saw a significant drop in his account balance, anxiously await explanations, the incident raises serious questions about the security protocols of Australia's super funds and the trust placed in them by millions of Australians. Legal experts have also pointed out that financial service providers who fail to exercise due care can face civil claims under the ASIC Act.

Ep318 - Image by AI