Sunday, May 4, 2025
Latest:
News

Most Australian Super Funds Still Exposed After April Cyber-Raid, New Report Finds

HackAcademy

A month after cyber-criminals siphoned more than A$700,000 from AustralianSuper member accounts, a forensic look at the sector’s email security has found that well over half of Australia’s superannuation funds are still running with the digital equivalent of an unlocked front door.

What the Proofpoint Audit Uncovered

Cyber-security firm Proofpoint examined 88 regulated super funds and discovered that 58 per cent have not activated “reject”-level Domain-based Message Authentication, Reporting and Conformance (DMARC) – the industry standard that stops emails spoofed with a fund’s domain from ever landing in a member’s inbox. Even more worrying, one in twelve funds has no DMARC controls at all.

DMARC operates on three graduated settings: monitor, quarantine and reject. Reject is the gold-standard because it blocks suspicious mail outright. According to the audit only 42 per cent of funds use it, while 27 per cent remain on the “monitor” setting and 23 per cent sit at “quarantine”, leaving millions of retirement-savings-holding accounts open to phishing and business-email-compromise scams.

A Wake-Up Call Ignored?

Last month’s credential-stuffing attack hit AustralianSuper, Australian Retirement Trust and Rest. Investigators believe stolen or reused passwords were leveraged by automated bots to drain accounts before red flags were raised. Police jurisdiction over the incident was initially unclear, prompting criticism from cyber experts who likened the response to asking “which station-house investigates a bank heist.”

Prime Minister Anthony Albanese described cyber raids as events that “happen all the time”, while Home Affairs Minister Tony Burke echoed a similar sentiment. The apparent nonchalance has rankled security professionals, who argue that super funds should be treated as critical financial infrastructure rather than mere custodians of pooled savings.

Why Email Security Matters So Much

Phishing remains the number-one entry vector in Australian cyber incidents. A forged email that convincingly mimics a fund’s brand can trick members into surrendering login details, bypassing even two-factor authentication if the code is harvested in real time. Proofpoint’s Asia-Pacific technology lead Steve Moros warned that the latest breach shows “these threats aren’t theoretical – they are actively stripping retirement income away from ordinary Australians.”

His view is echoed by Verizon regional vice-president Rob Le Busque, who compares good cyber hygiene to locking every window in a bank branch: “The smallest crack is enough for an intruder.”

Rapid-Fire Defence Shows What Is Possible

One of the funds caught in April’s raid moved within 24 hours to deploy an AI-driven security stack from Silicon Valley firm Cequence Security, a roll-out that normally takes months. Cequence’s regional manager Glen Maloney said early installation would almost certainly have stopped the bot-led attack in its tracks, underlining how quickly protective measures can be implemented when a breach forces the issue.

What Members Should Do Now

While trustees scramble to harden their systems, members are being urged to:

  • Inspect every super-related email carefully – hover over senders’ addresses and look for subtle spelling changes or unexpected attachments.

  • Ignore links that demand immediate action (e.g., “verify your account or it will be frozen”). Instead, log in through the fund’s official website or app.

  • Enable phishing-resistant multifactor authentication (hardware tokens or passkeys) wherever a fund offers it.

  • Check account balances regularly and report any unrecognised activity the moment it appears.

Regulator Pressure Building

The Australian Prudential Regulation Authority (APRA) expects trustees to meet CPS 234 information-security rules, yet the Proofpoint numbers suggest many boards still treat security as a cost centre rather than a fiduciary duty. In the wake of last year’s Medicare and Optus incidents, Canberra pledged tougher penalties for lax custodians of sensitive data; industry insiders expect super funds to be the next compliance focus.

Bottom Line

The April hack was supposed to be a wake-up call. Proofpoint’s audit shows that, for most super funds, the alarm is still ringing unheard. Until boards treat DMARC enforcement and broader cyber controls as essential infrastructure – not discretionary spend – Australia’s A$3.7 trillion retirement nest-egg remains an irresistible target.

Photo Credit: DepositPhotos.com

Leave a Reply

Your email address will not be published. Required fields are marked *