“It could be from Medibank, it could be from Optus, it could be from Latitude. It could be from all of the other breaches that you haven’t heard of.”
“They package [the data] up … and they play it against other websites. In this case, they’ve gone after superannuation companies for good reason because they’ve got money, and they’re less well defended than a bank.”
But he said the super funds had a responsibility to protect the trillions of dollars of Australians’ earnings they managed, and called on the funds to increase their cybersecurity.
“They need to be thinking of themselves as the same as banks,” MacGibbon said.
“Banks have put in place more security, and it’s time for the regulators to make sure that the superannuation companies are doing the same thing.”
MacGibbon said he was not aware what security measures the super funds had in place, but strong multifactor authentication may help.
The former eSafety commissioner said a common multifactor authentication method, in which a “secure” code is sent to an account holders via text message, would be useless if hackers could use a stolen password to access the superannuation account and change the registered mobile number.
App-based multifactor authentication is regarded as less vulnerable to attack than secure codes sent via text message.Credit: Istock
He said when the hackers then transferred the funds out, they would receive the multifactor authentication text message, not the account holder. Multifactor authentication through an app was more secure because it all happened within the one phone.
MacGibbon said the super fund hackers – who made off with about $500,000 of four AustralianSuper customers’ money – would likely transfer the stolen funds into smaller banks that allowed transfers into cryptocurrency exchanges, making it almost impossible to trace.
He said funds should also increase anti-fraud technologies that detect abnormal behaviour, such as if a regular contributor’s account suddenly changed phone number and address and requested money be paid out.
MacGibbon said a lack of communication from the super funds after the breaches caused panic and confusion for members, and prioritising transparency and immediately repaying any stolen money would increase consumer confidence.
“A lot of people tried logging into their accounts, and obviously the organisations couldn’t cope with that volume of traffic. People were either seeing zero balances or they were not able to get in, which is problematic. They’ve got to communicate.”
He said the attack was a sustained and large-scale fraud attempt, but it had not been a disaster.
“This is what I call a wake-up call,” he said. “But [the hackers] haven’t made off like bandits. They haven’t made off with millions of dollars … because there is some security in place.
“To the individuals who’ve had their superannuation stolen, it’s not a small crime, of course, but they will get their money back … There is not a superannuation company in Australia that would run the risk of saying, ‘No, we’re not liable for that’. They would be playing with fire, and I will be first in the queue to condemn them.”
An Australian Prudential Regulation Authority spokeswoman said on Friday any superannuation members concerned they had lost money should contact their fund.
“Broadly, all super funds hold reserve funds, including the operational risk financial reserve, that could be used to support members in such circumstances,” the spokeswoman said. “Funds may also rely upon other sources such as insurance cover.”
Jonathan Steffanoni, managing partner at Melbourne-based law firm Legal & Prudential, said the “overarching context” was that the superannuation funds and members were “both victims of a crime”.
He said it appeared there had been a data breach under the Commonwealth Privacy Act, for which members might seek compensation via the Office of the Australian Information Commissioner. But there were limits on the compensation payable.
“That channel of redress is not designed to deal with instances of fraud,” Steffanoni said.
He said members whose funds had been stolen might also seek compensation by making a complaint to the trustee of their fund or the Australian Financial Complaints Authority.
However, Steffanoni believed it was “quite likely that the trustee and the members involved here will proactively come to some kind of settlement”. This would bypass a costly courts process and potentially also AFCA.
He said questions might arise about whether members had “contributed to some extent” to their loss by re-using passwords or not using two-factor authentication where available.
But in this case, there was still limited public information about exactly what had happened, Steffanoni said.
A spokesperson for Rest, one of the targeted super funds, on Saturday reassured members that no money had left their accounts.
“The security of our members’ accounts is our number-one priority,” the spokesperson said.
Rest confirmed it had faced issues with its online member portal and app due to a high number of customer queries, and its call centre was also dealing with high call volumes.
“We’re sorry for the inconvenience and we appreciate our members’ patience,” they said.
Australian Retirement Trust, AustralianSuper, HostPlus and Insignia Financial declined to provide an update on Saturday.
With Ashleigh McMillan
Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.
