Preliminary Lessons from the Super Fund Data Breaches

Last week, several of Australia’s largest superannuation funds — including some of the the largest, by membership size: Australian Super; Australian Retirement Trust; Insignia; Hostplus; and REST — were hit by a wave of credential stuffing attacks. Using stolen usernames and passwords from unrelated breaches, cyber criminals accessed tens of thousands of member accounts and withdrew significant funds from a small number of them.

The breach doesn’t appear to be a ‘technical hack’ but an exploitation of weak authentication practices — notably, the absence of multi-factor authentication (MFA). Cyber criminals target those with obvious vulnerabilities and poor security or authentication practices.

MFA is basic security practice that has been in use in Australia for 20+ years and should be mandatory for all organisations dealing with financial transactions and other sensitive data or processes such as health. It is nothing more than regulatory forbearance that APRA has not required this, based on the level of risk to customers.

Further, the Office of the Information Commissioner (OAIC), in its civil penalty proceedings against Medibank following a data breach that occurred in October 2022. alleged that Medibank failed to comply with its obligations under Australian Privacy Principle (APP) 11.1, as found in Schedule 1 to the Privacy Act 1988 (Cth). Under APP 11.1, Medibank is required to take such steps as are reasonable in the circumstances to protect the personal information it holds from misuse, interference and loss, as well as from unauthorised access, modification or disclosure.

It is reasonable to expect robust authentication controls from financial service organisations, as outlined not only in numerous relevant government security standards (such as APRA Prudential Guidance CPS 234 or ASD Essential Eight), but also in recent court filings from the OAIC and the Australian Securities and Investments Commission.

Key lessons for any organisation handling sensitive personal information:

• Enforce MFA across all user and administrative or privileged logins

• Monitor for leaked credentials and prompt resets where needed

• Prompt regular password resets

• Detect, throttle and investigate unusual login patterns

• Require step-up verification for sensitive transactions (e.g., bank detail changes)

• Utilise digital identity verification solutions

• Regularly test the entire stack of your incident response plan, including your detection mechanisms.

As credential-based attacks rise, protecting access points and minimising data exposure is more important than ever. Financial institutions need to look past the minimums expected by regulators and focus on the risks to their customers.

Organisations that do not, will face the compliance risks and enforcement actions in addition to their customer rath and financial loss, including likely civil penalty for interference with privacy of individuals (not just ‘serious’ interference) under the Privacy and Other Legislation Amendment Bill 2024,