Monday, April 7, 2025
Latest:
The Register

Retirement funds reportedly raided after unexplained portal probes and data theft

TH Author

Australian retirement fund operators are scrambling after reports emerged of unauthorized access to customer accounts leading to theft of cash.

Most Australian workers have retirement accounts thanks to a requirement that employers pay an 11.5 percent “superannuation” contribution on top of wages. The payments are made into “super funds” of a worker’s choice. Over 100 super funds compete for workers’ dough, usually by promoting the returns they generate and their easy-to-use apps and web portals that allow customers to control how their funds are invested.

While competition among funds is good for consumers, it means super funds need to achieve infosec excellence to guard members’ balances – which collectively exceed AUD$4 trillion ($2.5 trillion)

On Friday it emerged some super funds’ infosec has been tested, and found wanting.

The peak body for super funds, the Association of Superannuation Funds of Australia (ASFA), on Friday said it is “aware that last weekend hackers attempted to get through the cyber-defenses of a number of superannuation funds.”

ASFA added: “While the majority of the attempts were repelled, unfortunately a number of members were affected. Funds are contacting all affected members to let them know and are helping any whose data has been compromised.”

A fund named “Rest” on Friday seemingly outed itself as one of the impacted orgs by telling members “Over the weekend of 29-30 March 2025, Rest became aware of some unauthorised activity on our online MemberAccess portal.”

Rest continued: “We believe the impact of this incident has been limited to approximately 8,000 members who may have had some limited personal details accessed,” the fund advised members, before adding “No member funds were transferred out of impacted members’ accounts due to these unauthorised access attempts.”

Local media reports suggest other funds have detected money was improperly withdrawn.

One un-named fund apparently tried to fend off 600 attacks.

It’s suggested crims gained access to accounts, perhaps by acquiring credentials from stolen data sold on the dark web, and then raided accounts in the small hours of Friday morning. That time of day was apparently chosen as attempts to transfer funds from super accounts, or to reset account passwords, often trigger SMS messages to re-authenticate users or distribute one-time passwords.

In Australia as elsewhere plenty of people silence their phones overnight, so crims could have attacked under cover of darkness and silence. We imagine TXTs sent to account holders to alert them of one-time codes distributed by email could have gone unnoticed. If crims could access those email accounts, they would likely gain the creds they needed to log in to super fund customer portals.

Superannuation funds are generally not accessible until account-holders turn 60, so if crims have managed to cash out some accounts they’ve either compromised many victims and found some ripe for exploitation, or done some homework on who to target.

The Register has checked the website of funds reported to have been hit in this wave of attacks and found most have posted notices warning customers of higher-than-usual levels of inquiries to call centers. Some funds’ websites are unresponsive, suggesting a flood of traffic from concerned customers.

This is a developing story and The Register will update it as more information becomes available.

Australia’s superannuation system last came to our attention in 2024 when Google Cloud deleted systems it ran for a fund called UniSuper. ®

READ MORE HERE