- Pick & Scroll News
- Posts
- Super Funds Review Login Security After Breaches
Super Funds Review Login Security After Breaches
Australia’s second-largest retirement fund is reviewing whether to make multifactor authentication (MFA) compulsory after it, along with several others, was compromised in a recent coordinated cyberattack
Pick & Scroll News
April 09, 2025
Australia’s second-largest retirement fund is reviewing whether to make multifactor authentication (MFA) compulsory after it, along with several others, was compromised in a recent coordinated cyberattack. The move aims to prevent future breaches, but may impact user convenience and raise implementation costs across the sector.
The breach came to light last week and involved five major superannuation funds, including ART, AustralianSuper, REST, Hostplus and MLC Expand under Insignia Financial. It was reportedly carried out using a method called credential stuffing - where attackers use login details stolen from previous hacks to access other accounts using the same passwords.
So far, AustralianSuper has confirmed $500,000 was taken from four customer accounts, while other funds have reported no direct monetary loss but have seen suspicious activities. ART, which manages over $310 billion in retirement assets, had previously offered MFA as an optional feature but is now evaluating whether to enforce it across all accounts. Other funds have varying MFA policies, usually requiring it for high-risk actions such as withdrawals.
The breach sparked a response from top government agencies, including the Cybersecurity Ministry and the national cybersecurity co-ordinator, who indicated that the response from affected funds has been adequate. However, critics noted that public officials had been largely silent since the attack, and pressure continues to mount for industry-wide upgrades in security practices.
Cybersecurity analysts warn that stolen retirement account data is now for sale on the dark web, often gathered via malware known as “infostealers.” This highlights the growing need for proactive protections like MFA across industries holding sensitive personal and financial data. With over $4 trillion held in the superannuation system, any delay in tightening security could pose rising risks for millions of Australians.