Peter A Clarke

The Australian with Zero dollars showing on some accounts but AustralianSuper says no need to panic reports that AustralianSuper. The haul, $500,000. What is interesting about the cyber attacks is that they were co ordinated and the targets were all in Super Industry bodies. The means of entry, stolen passwords, known as credential stuffing.  They were possibly obtained from the dark web, which suggests they were acquired from a previous cyber attack.  The theft didn’t involve attacking the cyber defences themselves, but rather As usual in Australia the funds were keen to maintain silence about the breaches.  The Australian Retirement Trust denied this by saying that it notified regulators just not the public.  The spokesman was even more crafty with terminology by claiming the affected customers were notified but not all customers.  This lack of candour is not present in the USA when dealing with cyber attacks.  That is a much more mature approach.

The story is covered by the Guardian, the Australian Financial Review and Nine amongst others.

The Australian article provides:

AustralianSuper

AusSuper chief member officer Rose Kerlin said cyber criminals may have used stolen passwords to log into the accounts belonging to 600 of its members “in attempts to commit fraud”.

Four AustralianSuper customers have lost $500,000 in the cyber raids, although the fund moved to assure customers who were seeing a “$0 balance” on their profiles that they had secure accounts.

Rest Super

Rest Super chief executive Vicki Doyle said 8000 member accounts were affected.

It’s understood criminals attempted to use stolen passwords gathered from other hacks — and possibly shared on the dark web — to break into the accounts.

“Over the weekend of March 29-30, 2025, Rest became aware of some unauthorised activity on our online Member Access portal,” she said.

“No member funds were transferred out of impacted members’ accounts due to these unauthorised access attempts.”

Hundreds of Australian Retirement Trust members first had their accounts breached by cyber criminals about a month ago.

Australian Retirement Trust

Despite a spike of suspicious login attempts on March 8 affecting a few hundred Australian Retirement Trust customers, news about the attack – a co-ordinated hack carried out by cyber criminals on multiple funds – only emerged on Friday.

A spokesman for the fund, which manages more than $300bn in superannuation savings, told The Australian the customers were notified at the time.

He said regulatory agencies were notified soon after, and he denied the company kept news about the widespread cyber attack silent.

About another hundred customers were affected by the continued cyber attacks in the same way to that reported by AustralianSuper and Rest – referred to as “credential stuffing”. No ART account money was stolen.

Credential stuffing uses stolen passwords to gain unauthorised access to data.

Insignia Financial

Insignia Financial said it detected suspicious activity on 100 Expand Wrap Platform customers’ accounts early on Monday.

“At this stage there has been no financial impact to customers,” MLC Expand CEO Liz McCarthy said.

“Our Cyber Security team are actively working to apply additional monitoring and mitigations to protect customer accounts. As a precaution we have taken steps to restrict some activities on the Expand Platform.

“Some customers will receive communications prompting them to reset their passwords when they next login to their accounts.

Hostplus

Hostplus chief executive David Elia said the fund was investigating how its members were affected, but said “we can confirm that no Hostplus member losses have occurred”.

“We had seen various attempts to hack into members accounts but none have succeeded to date,” he said.

“We are of course continuing to monitor the situation and are remaining vigilant.”

Political response

Prime Minister Anthony Albanese sought to downplay the major cyber attack, saying they occur every six minutes.

Opposition home affairs spokesman James Paterson accused Mr Albanese of failing to take the superannuation account breaches seriously.

“The Prime Minister clearly doesn’t understand how serious this is when he described it as just ‘a regular issue’,” Senator Paterson said.

National cyber security

National Cyber Security Co-ordinator Lieutenant General Michelle McGuinness said she was aware “cyber criminals are targeting individual account holders of a number of superannuation funds”.

“I am co-ordinating engagement across the Australian government, including with the financial system regulators, and with industry stakeholders to provide cyber security advice,” she said.

“If you have been impacted or are concerned you may have been impacted, follow the advice provided by your super fund.”

A task force has this week been examining the breach, Home Affairs’ National Cyber Security chief is co-ordinating involvement of government agencies, including the Australian Securities and Investments Commission and Prudential Regulation Authority, plus major super funds.

The agencies are sharing information to investigate the incident.

Cyber CX chief strategy officer Alastair MacGibbon said there was a “very low chance” of catching the culprits behind the cyber raids.

He said the raids on superannuation accounts appeared to be fraud rather than a cyber intrusion, and should be a wake-up call for financial institutions to implement robust multi-factor authentication.

He said it looked like a case of “credential stuffing”, which involves using stolen usernames and passwords that are already circulating on the dark web.

“While it looks big, it’s not a cyber incident, per se. It’s fraud,” Mr MacGibbon said.

“No one has hacked anything. It’s putting usernames and passwords in, which is different from compromising some common thread between all of the superannuation companies.”

He said superannuation companies, like other financial institutions, needed to secure customers’ accounts with third-party multi-factor authentication systems.

Many super funds, including AustralianSuper and Australian Retirement Trust, have opt-in multi-factor authentication systems in place.

Mr MacGibbon said systems that used SMS messages were not sufficient, because phone SIM numbers could be transferred by fraudsters.

Association of Superannuation Funds of Australia said in a statement it was “aware that last weekend hackers attempted to get through the cyber-defences of a number of superannuation funds”.

“While the majority of the attempts were repelled, unfortunately a number of members were affected. Funds are contacting all affected members to let them know and are helping any whose data has been compromised,” the statement says.

The Australian reports in Griffith University subject to privacy, discrimination claims on how personal information can be casually misused as part of another process. On this occasion an academic forwarded a copy of a letter of censure addressed to a Mr Stella at his home address to third parties unconnected to the process. Worse. The letter was sent to people who complained about Stella which resulted in the letter being sent. That is a clear breach of privacy. The personal information was collected for the purpose of processing Stella’s application and administration of his attendance at the university. There was good reasons for that information being disclosed to others. The award of $10,000 is quite modest.

The article Read the rest of this entry »

As I have posted previously on 10 December 2024 the Privacy and Other Legislation Amendment Bill 2024 (Cth), received Royal Assent. Under the Privacy and Other Legislation Amendment Act 2024 (Cth) (Amendment Act), it introduces several significant amendments to the Privacy Act 1988 (Cth) (Privacy Act), many of which came into effect immediately upon assent. Others come into effect later.

The changes:

•  Statutory Cause of Action for Serious Invasions of Privacy: Comes into effect on a  10 June 2025.

Under the tort Individuals can take legal action against organisations or individuals for serious invasions of privacy. The two bases are intrusions into personal seclusion or misuse of personal information.  It is quite a complex tort.  The limitations period is 1 year from date the intrusion occurred or was discovered.

• Automated Decision-Making: Comes into effect on 10 December 2026
  

New transparency obligations require organisations to update their privacy policies to disclose when decisions are made using automated processes.

• Doxxing Offence: Came into effect on 11 December 2024. 

It is illegal to share someone’s personal information with the intent to harm. This offence is punishable by up to 7 years’ imprisonment.

• Children’s Online Privacy Code: Code to be developed and registered by 10 December 2026
  

The Office of the Australian Information Commissioner (OAIC) is required to develop a code addressing online privacy for children. There will be a consultation period of 60 days.

• Overseas Dataflows, Whitelist Powers: Came into effect on 11 December 2024.
  

The Minister has powers to ‘whitelist’ countries that provide substantially similar privacy protections, to assist entities disclosing personal information overseas.

•  Civil Penalty and Powers to Issue Infringement and Compliance Notices: Came into effect on 11 December 2024.

The Privacy Commissioner now has the powers to issue infringement notices and compliance notices for Read the rest of this entry »

23andMe is, or more accurately was, a personal genomics company. It collected genetic information. That is very sensitive. It suffered a data breach in October 2023 when hackers exploited an old password resutling in them gaining access to 6.9 million people. It became the subject of litigation and in June 2024 investigation by the Canadian Privacy Commissioner and the UK Information Commissioner. Early in March the ICO released a notice of intent to fine 23andMe with a 4.59 million fine. 23andMe has just filed for Chapter 11 bankruptcy protection. At minimum that means a restructure. It may continue operating after the restructure. That has raised serious security concerns about the genetic data it holds. The New York Attorney General has urged customers to contact the company to delete their data. In What users need to know about privacy and data after 23andMe’s bankruptcy filing the Conversation sets out the privacy and data management issues from this . That does not alter 23andME’s obligations to protection personal information.

The Conversation’s piece Read the rest of this entry »