Multiple large superannuation funds have been targeted in suspected cyber attacks that led to some members losing several thousand dollars in retirements savings.
Hostplus, Rest, AustralianSuper and Australian Retirement Trust are among the providers targeted.
The attacks were discovered over the weekend, and follow rising reports of online security threats in Australia with a cyber crime reported every 6 minutes.
Cyber experts say there were "major security weaknesses" in the superannuation sector that had been flagged, and the breach should be a wake-up call for the industry.
What happened?
AustralianSuper, the nation's biggest retirement fund, said cyber criminals may have used up to 600 members' stolen passwords to log into their accounts.
The hackers allegedly sought lump sum withdrawals.
The attack followed a spike in "suspicious activity" on AustralianSuper's website and app, chief member officer Rose Kerlin said.
The company identified that members' stolen passwords were used to log into their accounts "in attempts to commit fraud".
"We took immediate action to lock these accounts and let those members know," Ms Rose said.
The superannuation industry association also confirmed members' funds had been stolen.
"While the majority of attempts were repelled, unfortunately a number of members were affected," the group said in a statement.
The ABC understands that no members from Rest, Host Plus, Insignia and Australian Retirement lost retirement savings.
Host Plus said it was still investigating.
AustralianSuper confirmed that members were still struggling to access their accounts, and that some were showing zero funds.
"Even though you may not be able to see your account, or you are seeing a $0 balance, your account is secure," the financial company said.
Rest customers were also experiencing outages and struggling to access accounts.
How could accounts be accessed?
Matt Warren, director of the RMIT Centre for Cyber Security Research and Innovation, said the breach appeared to involve large amounts of stolen data that was sold on the dark web.
The data would have included people's usernames and passwords.
"Someone would have bought that and then started to research how to undertake the attack," he told the ABC.
He said the superannuation sector was an easy target, because some accounts do not require multi-factor authentication.
Multi-factor authentication is a process where a security code is either sent to an app on your phone or via SMS after you enter your password.
It provides an additional layer of security.
"It means if someone had your username or password and they didn't have that code, they can't log into your account," Professor Warren said.
Alastair MacGibbon, chief strategy officer at CyberCX, referred to the attacks as "coordinated attempted fraud".
He said it did not appear that there was any evidence of hacking, or criminals compromising any software systems.
Instead, it was a case of so-called "credential stuffing".
He described credential stuffing as a type of attack where criminals use stolen credentials from one platform to gain unauthorised access to multiple user accounts.
"They're taking usernames and passwords that have been stolen in other data breaches," he said.
"In effect, if people use the same passwords for multiple accounts, it only takes one data breach for persistent and savvy criminals to gain unauthorised access to their other accounts."
He added that CyberCX was tracking an increase in these attacks, and credential stuffing was a growing threat to businesses and individuals.
How can accounts be kept secure?
In 2024, the Financial Services Council released a standard for superannuation companies to make multi-factor authentication systems compulsory.
The requirement recommended the security measures be implemented by July 2026.
Professor Warren said that given the need to better secure accounts was outlined by the Financial Services Council last year, the superannuation funds should be held accountable.
"It's been known for a long while that there's a major security weakness with superannuation," he said.
"It's a real wake-up call ... the people behind these sorts of attacks would have been aware that in Australia many superannuation fund companies didn't have compulsory multi factor authentication."
University of Melbourne Academic Centre of Cyber Security Excellence professor Toby Murray said the attacks did not appear to be very sophisticated.
He said the superannuation companies may not have had adequate automated fraud detection.
Professor Murray said there would have been irregular transactions occurring at unusual hours which should have been flagged as suspicious.
"It doesn't pass the pub test," he said.
Mr MacGibbon agreed that the attack was not very sophisticated, and most customers should not be concerned about their funds.
But it was clear the superannuation industry needed strong security measures.
He also called on people to ensure they regularly update passwords so they are "unique and hard to guess", and are not repeated across multiple accounts.
"We've all seen the banks really radically improve security … We need to do the same thing for super accounts," Mr MacGibbon said.
"There needs to be proper anti-fraud technologies used by these super funds, and that's the wake-up call that I think Australians should have today."
Will victims get money back?
Superannuation funds are urging their members to check accounts for signs of fraud, ensure their banking and contact details are correct, and change their password if it is not unique to their account.
Australia's National Cyber Security Coordinator Lieutenant General Michelle McGuinness said superannuation and banking firms were working with government agencies to respond to the attack.
"I am coordinating engagement across the Australian government, including with the financial system regulators, and with industry stakeholders to provide cyber security advice," she said.
Mr MacGibbon believed that customers impacted would be protected by insurance.
"Those funds are obviously going to be returned by the superannuation companies," he said.
Superannuation funds are protected under the Australian Prudential Regulation Authority's financial claims schemes, but only up to a limit of $250,000 per account holder.
Professor Warren said he would expect superannuation companies to "do the right thing" and ensure members received their money back.
He said that given requirements for better protection were released in 2024, the superannuation funds should be held accountable.
"The onus is on the superannuation companies to improve their cyber security," he said.
