Multiple Australian Super Funds suffer cyber attacks with losses of $500,000.

April 6, 2025

The Australian with Zero dollars showing on some accounts but AustralianSuper says no need to panic reports that AustralianSuper. The haul, $500,000. What is interesting about the cyber attacks is that they were co ordinated and the targets were all in Super Industry bodies. The means of entry, stolen passwords, known as credential stuffing.  They were possibly obtained from the dark web, which suggests they were acquired from a previous cyber attack.  The theft didn’t involve attacking the cyber defences themselves, but rather As usual in Australia the funds were keen to maintain silence about the breaches.  The Australian Retirement Trust denied this by saying that it notified regulators just not the public.  The spokesman was even more crafty with terminology by claiming the affected customers were notified but not all customers.  This lack of candour is not present in the USA when dealing with cyber attacks.  That is a much more mature approach.

The story is covered by the Guardian, the Australian Financial Review and Nine amongst others.

The Australian article provides:

Cyber criminals have carried out a co-ordinated hit on some of the country’s biggest super funds including Australian Super, Australian Retirement Trust, Hostplus and Rest, and thousands of members are understood to be affected.

AustralianSuper

AusSuper chief member officer Rose Kerlin said cyber criminals may have used stolen passwords to log into the accounts belonging to 600 of its members “in attempts to commit fraud”.

Four AustralianSuper customers have lost $500,000 in the cyber raids, although the fund moved to assure customers who were seeing a “$0 balance” on their profiles that they had secure accounts.

Rest Super

Rest Super chief executive Vicki Doyle said 8000 member accounts were affected.

It’s understood criminals attempted to use stolen passwords gathered from other hacks — and possibly shared on the dark web — to break into the accounts.

“Over the weekend of March 29-30, 2025, Rest became aware of some unauthorised activity on our online Member Access portal,” she said.

“No member funds were transferred out of impacted members’ accounts due to these unauthorised access attempts.”

Hundreds of Australian Retirement Trust members first had their accounts breached by cyber criminals about a month ago.

Australian Retirement Trust

Despite a spike of suspicious login attempts on March 8 affecting a few hundred Australian Retirement Trust customers, news about the attack – a co-ordinated hack carried out by cyber criminals on multiple funds – only emerged on Friday.

A spokesman for the fund, which manages more than $300bn in superannuation savings, told The Australian the customers were notified at the time.

He said regulatory agencies were notified soon after, and he denied the company kept news about the widespread cyber attack silent.

About another hundred customers were affected by the continued cyber attacks in the same way to that reported by AustralianSuper and Rest – referred to as “credential stuffing”. No ART account money was stolen.

Credential stuffing uses stolen passwords to gain unauthorised access to data.

Insignia Financial

Insignia Financial said it detected suspicious activity on 100 Expand Wrap Platform customers’ accounts early on Monday.

“At this stage there has been no financial impact to customers,” MLC Expand CEO Liz McCarthy said.

“Our Cyber Security team are actively working to apply additional monitoring and mitigations to protect customer accounts. As a precaution we have taken steps to restrict some activities on the Expand Platform.

“Some customers will receive communications prompting them to reset their passwords when they next login to their accounts.

Hostplus

Hostplus chief executive David Elia said the fund was investigating how its members were affected, but said “we can confirm that no Hostplus member losses have occurred”.

“We had seen various attempts to hack into members accounts but none have succeeded to date,” he said.

“We are of course continuing to monitor the situation and are remaining vigilant.”

Political response

Prime Minister Anthony Albanese sought to downplay the major cyber attack, saying they occur every six minutes.

Opposition home affairs spokesman James Paterson accused Mr Albanese of failing to take the superannuation account breaches seriously.

“The Prime Minister clearly doesn’t understand how serious this is when he described it as just ‘a regular issue’,” Senator Paterson said.

National cyber security

National Cyber Security Co-ordinator Lieutenant General Michelle McGuinness said she was aware “cyber criminals are targeting individual account holders of a number of superannuation funds”.

“I am co-ordinating engagement across the Australian government, including with the financial system regulators, and with industry stakeholders to provide cyber security advice,” she said.

“If you have been impacted or are concerned you may have been impacted, follow the advice provided by your super fund.”

A task force has this week been examining the breach, Home Affairs’ National Cyber Security chief is co-ordinating involvement of government agencies, including the Australian Securities and Investments Commission and Prudential Regulation Authority, plus major super funds.

The agencies are sharing information to investigate the incident.

Cyber CX chief strategy officer Alastair MacGibbon said there was a “very low chance” of catching the culprits behind the cyber raids.

He said the raids on superannuation accounts appeared to be fraud rather than a cyber intrusion, and should be a wake-up call for financial institutions to implement robust multi-factor authentication.

He said it looked like a case of “credential stuffing”, which involves using stolen usernames and passwords that are already circulating on the dark web.

“While it looks big, it’s not a cyber incident, per se. It’s fraud,” Mr MacGibbon said.

“No one has hacked anything. It’s putting usernames and passwords in, which is different from compromising some common thread between all of the superannuation companies.”

He said superannuation companies, like other financial institutions, needed to secure customers’ accounts with third-party multi-factor authentication systems.

Many super funds, including AustralianSuper and Australian Retirement Trust, have opt-in multi-factor authentication systems in place.

Mr MacGibbon said systems that used SMS messages were not sufficient, because phone SIM numbers could be transferred by fraudsters.

Association of Superannuation Funds of Australia said in a statement it was “aware that last weekend hackers attempted to get through the cyber-defences of a number of superannuation funds”.

“While the majority of the attempts were repelled, unfortunately a number of members were affected. Funds are contacting all affected members to let them know and are helping any whose data has been compromised,” the statement says.

Privacy breach complaint against Griffith University

April 4, 2025

The Australian reports in Griffith University subject to privacy, discrimination claims on how personal information can be casually misused as part of another process. On this occasion an academic forwarded a copy of a letter of censure addressed to a Mr Stella at his home address to third parties unconnected to the process. Worse. The letter was sent to people who complained about Stella which resulted in the letter being sent. That is a clear breach of privacy. The personal information was collected for the purpose of processing Stella’s application and administration of his attendance at the university. There was good reasons for that information being disclosed to others. The award of $10,000 is quite modest.

The article Read the rest of this entry »

Statutory cause of action for serious invasion of privacy to take effect on 10 June 2025, a little over 2 months away. Other amendments will come into effect later. Amendments which give the Privacy Commissioner greater powers came into effect on 10 December 2024.

April 3, 2025

As I have posted previously on 10 December 2024 the Privacy and Other Legislation Amendment Bill 2024 (Cth), received Royal Assent. Under the Privacy and Other Legislation Amendment Act 2024 (Cth) (Amendment Act), it introduces several significant amendments to the Privacy Act 1988 (Cth) (Privacy Act), many of which came into effect immediately upon assent. Others come into effect later.

The changes:

  •  Statutory Cause of Action for Serious Invasions of Privacy: Comes into effect on a  10 June 2025.

Under the tort Individuals can take legal action against organisations or individuals for serious invasions of privacy. The two bases are intrusions into personal seclusion or misuse of personal information.  It is quite a complex tort.  The limitations period is 1 year from date the intrusion occurred or was discovered.

  • Automated Decision-Making: Comes into effect on 10 December 2026

New transparency obligations require organisations to update their privacy policies to disclose when decisions are made using automated processes.

  • Doxxing Offence: Came into effect on 11 December 2024. 

It is illegal to share someone’s personal information with the intent to harm. This offence is punishable by up to 7 years’ imprisonment.

  • Children’s Online Privacy Code: Code to be developed and registered by 10 December 2026

The Office of the Australian Information Commissioner (OAIC) is required to develop a code addressing online privacy for children. There will be a consultation period of 60 days.

  • Overseas Dataflows, Whitelist Powers: Came into effect on 11 December 2024.

The Minister has powers to ‘whitelist’ countries that provide substantially similar privacy protections, to assist entities disclosing personal information overseas.

  •  Civil Penalty and Powers to Issue Infringement and Compliance Notices: Came into effect on 11 December 2024.

The Privacy Commissioner now has the powers to issue infringement notices and compliance notices for Read the rest of this entry »

23andMe collapse raises serious privacy concerns.

April 2, 2025

23andMe is, or more accurately was, a personal genomics company. It collected genetic information. That is very sensitive. It suffered a data breach in October 2023 when hackers exploited an old password resutling in them gaining access to 6.9 million people. It became the subject of litigation and in June 2024 investigation by the Canadian Privacy Commissioner and the UK Information Commissioner. Early in March the ICO released a notice of intent to fine 23andMe with a 4.59 million fine. 23andMe has just filed for Chapter 11 bankruptcy protection. At minimum that means a restructure. It may continue operating after the restructure. That has raised serious security concerns about the genetic data it holds. The New York Attorney General has urged customers to contact the company to delete their data. In What users need to know about privacy and data after 23andMe’s bankruptcy filing the Conversation sets out the privacy and data management issues from this . That does not alter 23andME’s obligations to protection personal information.

The Conversation’s piece Read the rest of this entry »

T Mobile agrees to pay $350 million settlement for data breach which affected 76 million customers

March 31, 2025

T Mobile suffered a massive data breach in 2021. Ultimately T Mobile advised that personal information relating to 76 million customers had been accessed. It has been reported by MSN with T-Mobile prepares $350 million payments for data breach settlement.

The settlement highlights that data breaches can be a extremely costly experience for organisations.  The settlement sum is only one component of the costs.  There are costs associated with dealing with the regulator.  Sometimes more than one regulator.  There are usually heavy costs bringing in additional IT experts.  Hackers often leave chaos behind, particularly in ransomware attacks.  There may need to be rebuilding of the website, its programs and storage areas. In that context it remains concerning that so few mid sized companies put the necessary time and effort required to reduce the Read the rest of this entry »

California Privacy Protection Agency v Honda; settlement with Honda paying $632,500 fine for breaching California Consumer Privacy Act by requiring excessive personal information, making it difficult for people to exercise their rights and not properly protecting privacy

The California Consumer Privacy Act 2018 (“CCPA”) has the most comprehensive privacy protections of all state based privacy legislation in the USA. It took effect on 1 January 2020. Recently the Agency brought action against Honda for breaches of the CCPA. That has resulted in a settlement and a fine of $232,500.

The CCPA grants California consumers the right to:

  • know that personal information is collected, used, shared or sold;
  • delete personal information held by businesses
  • opt out of sale of personal information
  • non discrimination in terms of price of service.

Under the CCPA businesses must, inter alia:

  • provide notice to consumers before data collection;
  • create procedures to respond to requests from consumers to opt out, know and delete
  • respond to requests to from consumers to know, delete and opt out
  • disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information

According to the final order the breaches related to:

  • Excessive Personal Information. “Requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit.”
  • Lack of Symmetrical Choices. “Using an online privacy management tool that failed to offer Californians their privacy choices in a symmetrical or equal way.”
  • Difficult to Appoint Authorized Agents. “Making it difficult for Californians to authorize other individuals or organizations (known as “authorized agents”) to exercise their privacy rights.”
  • Lack of Contracts. “Sharing consumers’ personal information with ad tech companies without producing contracts that contain the necessary terms to protect privacy.”

Excessive Personal Information. Honda required matching more than two data points (sometimes requiring up to eight data points) provided by the Read the rest of this entry »

Sydney Morning Herald, the Age, the Australian Financial Review suffers a data breach

March 29, 2025

The Nine papers group has suffered a data breach involving exposure of its subscribers information, some 16,000 in all (so far). That is particularly embarrassing for a news outlet that usually enjoys breathless reporting of privacy fails of businesses. Here the reporting was by News.com with ‘Juicy customer data’ belonging to thousands of Aussies leaked from Nine, the ABC with Nine newspapers subscribers have data exposed online in breach and the Australian Financial Review with Nine audits external data security after breach exposes 16,000 readers. The Australian, a competitor in the market, gleefully reports on the breach with Sydney Morning Herald, The Age and Financial Review readers exposed in data breach.

The breach was the exposure of names, postal addresses and email addresses of 16,000 subscribers.  The information was held by a third party supplier.  The cyber attack was of the that supplier.  While Nine is keen to state that there was no breach of its (excellent) cyber security structure that does not alter the fact that a third party supplier’s cyber protection was not adequate.  This is a very common situation.  Large organisations using third party contractors or suppliers is seen as efficient and cost effective.  Part of that work usually involves the contractor or suplplier holding the organisations store of personal information or having authorisation to access to the organisation’s homepage.  Hackers recognise that many third party suppliers has less effective cyber protection and vulnerable.  To avoid this form of attack organisations should do what they can to require third party contractors and suppliers to have satisfactory and complementary cyber protection and systems in place. Unfortunately that is a conversation that is not had enough.

The ABC story Read the rest of this entry »

Victorian Ambulance suffers a data breach with personal data of 3,000 employees hacked

The Australian reports that Victorian Ambulance has suffered a data breach involving the personal and financial details of 3,000 employees. This data breach may have been caused by what has been described as a rogue employee. This is not a first for Ambulance Victoria. In 2023 it suffered a privacy breach, this time internal sharing of a personal information. In the 2023 privacy breach the “..documents have been accessed only a handful of times in the past six months.” An exercise in minimisation. On this occasion the breach was detected by systems by the employee on his or her last day of service. In 2019 I posted on a data breach involving NSW Ambulance Offices which resulted in a class action and settlement of $275,000.

Data breaches involving staff going rogue are a chronic problem and can be a difficult problem if there are not proper policies and systems in place.  Some staff or soon to be ex staff are motivated by malice, others by greed and some by curiosity.  It is important to have programs in place that detect suspicious activity, like massive copying or exfiltration.  It is also important to have a data breach response plan, involving roles for members of the organisation.  There also needs to be a plan to take court action if necessary.  It is common to seek injunctive relief against ex staff or consultants who make off with data.  That is not as an alternative to contacting police but complementing such action.

One question the regulators will no doubt ask is Read the rest of this entry »

UK Information Commissioner’s Office fines Advanced Computer 3.07 million pounds for security failures resulting in ransomeware attack affecting 79,404 people. Lessons for Australian organisations.

March 28, 2025

The UK Information Commissioners Office (“ICO”) has fined Advanced Computer Software Group Ltd (“Advanced”) some £3.07 million for inadequate security which resulted in a a ransomware attack in August 2022 which  disrupted the operation of NHS services and impacted 79,404 people. The ICO found the Advanced’s security measures fell seriously short of what that  expect from an organisation processing  a large volume of sensitive information. 

While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk. Hackers were able to access Advanced’s systems via a customer account. Access to that account was not protected by multi-factor authentication. Once in the systems, the hackers were able to exfiltrate data belonging to 79,404 people.  That included, with respect to 890 people receiving home care, details of how to gain entry to their property. 

Last year, the ICO signalled its intention to fine Advanced £6.09m. After considering Advanced’s submissions it reduced the fine to  £3.07m. One but not the only reason for the reduction was Advanced’s “proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS in the wake of the attack and other steps taken to mitigate the risk to those impacted”.  Other factors were Advanced’s notification to customers within 24 hours of discovery irrespective of whether they were affected, providing a team of 18 people to restore  infrastructure and engaging external experts to undertake a forensic investigation and analysis of the data impacted.  Advanced also undertook a comprehensive review of potentially impacted data.  There are lessons in the Australian context.  It is important for an organisation to react quickly, decisively and engage with all relevant authorities. That means having a plan.

The statement provides:

The Information Commissioner’s Office (ICO) has fined Advanced Computer Software Group Ltd (Advanced) £3.07m for security failings that put the personal information of 79,404 people at risk.?  Read the rest of this entry »

New South Wales court website hacked

March 27, 2025

Courts have long been a target of cyber attacks. There was a data breach at the Australian Federal Court in 2020, revealing names of refugee applicants. In January 2024 the Victorian Court Services were hacked. That involved the recordings of hearings dating as far back as 2016. In January 2021 the United States Courts announced that it was putting in place extra safeguards to protect records in light of previous data breaches. In July 2022 the United States the House Judiciary Committee investigated data breaches involving the U.S. Fedeal Court dating back to early 2020. The latest data breach involves the New South Wales court website. The Government confirms about 9,000 court files, including domestic violence orders were accessed in a data breach.

As is usual in Australia the initial information provided is vague, to put it kindly. It appears that credentials were used, either by a hacker/other acquiring those credentials or a person within the Department misusing his or her credentials.  While the account holder gained unlawful access to the system the obvious question is the adequacy of the controls protecting the information.  Was there a separate password, available to only those with specific  clearance, required to access that information?  Why wasn’t there notification to IT of a person without authorisation accessing the information?  How the breach was detected is not clear.  The ABC reports that the breach was only detected later during a routine maintenance when technicians noticed some data had changed. News reports that the breach was identified during a “security check” after some data had changed.  Different backgrounding going on.  Even more curious is what happened to the data.  “Accessed” is a general term with a meaning ranging from have the ability to open documents to actually opening those documents to exfiltrating those files. It seems likely that the processes operating at the New South Wales Department of Justice were deficient.

The ABC report of the data breach Read the rest of this entry »