Cyberattack on Super Funds Demands Urgent Industry Reckoning

The attack occurred over the weekend of March 29–30, 2025, and was confirmed by officials on April 4 — a calculated, coordinated breach that infiltrated Australia’s largest pension funds, compromised more than 20,000 accounts, and led to direct theft from member savings at the country’s biggest fund.

This was not a random strike. Hackers targeted members drawing down their pensions — retirees eligible for lump sum withdrawals — and moved strategically, altering passwords in the early morning hours to bypass mobile alert systems. The operation demonstrated a chilling level of familiarity with Australia’s superannuation processes.

AustralianSuper, Hostplus, Rest, Insignia Financial (MLC), and Australian Retirement Trust all confirmed they were affected. AustralianSuper’s Chief Member Officer, Rose Kerlin, stated, 

“Cyber criminals may have used up to 600 members’ passwords to log into their accounts in attempts to commit fraud.” 

In a social media update, AustralianSuper acknowledged a spike in suspicious activity and reassured members that steps were taken to secure accounts. The post also warned of potential service disruptions due to increased online traffic:

Insignia Financial confirmed suspicious login activity on its Expand Wrap Platform, affecting around 100 customers. In a LinkedIn update, the company noted that there has been no financial impact to date and that no other platforms were affected. Customers were advised to update passwords and avoid reusing credentials across services.

While swift measures were taken to lock accounts, the breach has already eroded member confidence.

Rest CEO Vicki Doyle said about 20,000 of its members — roughly 1 per cent — were impacted. 

“We responded immediately by shutting down the Member Access portal, undertaking investigations and launching our cybersecurity protocols,” she said, adding that no funds were transferred in their case. Other funds also limited account access and prompted password resets.

The attack was a credential-stuffing campaign — a tactic using stolen passwords likely harvested from earlier data leaks and traded on the dark web. Experts say the scale and precision of this breach should surprise no one.

“An attack on Australian superannuation was always inevitable, some would say overdue,” 

warned Professor Paul Haskell-Dowland from Edith Cowan University. Matthew Warren, Director of RMIT’s cybersecurity centre, highlighted “weak authentication measures” and urged mandatory multi-factor authentication (MFA) across the industry.

The government’s National Cyber Security Coordinator, Lieutenant General Michelle McGuinness, is leading the response, working with funds to assess the extent of the damage and coordinate recovery. Still, the issue at hand isn’t just operational — it’s existential.

In a public statement posted to LinkedIn, McGuinness outlined the broader government response and offered guidance to affected Australians:

I am aware cyber criminals are targeting individual account holders of a… | National Cyber Security Coordinator

I am aware cyber criminals are targeting individual account holders of a number of superannuation funds. I am working with agencies across the Australian Government including with the financial system regulators, and with industry stakeholders to provide cyber security advice and coordinate the whole-of-government response to this incident. The Australian Prudential Regulation Authority (APRA) and Australian Securities and Investments Commission (ASIC) are engaging with all potentially impacted superannuation funds to support safe outcomes for members. Super fund members should follow the advice of their superannuation funds: check your accounts, remain engaged with your funds if you are concerned you have been impacted, and be vigilant of potential fraud. If you are concerned about potential impacts from this, the Australian Government’s trusted source of cyber security advice – cyber.gov.au – has information on simple steps you can take to protect yourself online. We are continuing to work with affected superannuation funds in response to this issue.

LinkedInNational Cyber Security Coordinator

Australia’s superannuation industry manages over $3.5 trillion in retirement savings. These funds are built on long-term trust — trust that the systems protecting these assets are secure, modern, and resilient. This breach makes clear that such trust has been taken for granted.

The Association of Superannuation Funds of Australia (ASFA) has called for tighter coordination between funds, financial services, and government agencies, including shared intelligence and a unified cybersecurity framework.