Security experts are calling for change after multiple Australian super funds were targeted by a coordinated cyberattack that disrupted services, compromised customer information, and caused limited financial losses.

Over the weekend, several Australian superannuation licensees reported increased traffic and service disruptions amid an industry-wide cyberattack that targeted individual member accounts.

Varying impacts were observed across Cbus, Hostplus, Rest, Australian Retirement Trust (ART) and Insignia, while ABC News reported some $500,000 in losses across four members at AustralianSuper.

“A cyber incident has impacted a number of superannuation funds, including AustralianSuper,” the fund said.

“We have seen a spike in suspicious activity in relation to around 600 member accounts.

“Keeping members’ money safe is our highest priority and we have taken immediate steps to safeguard members’ accounts.”

Rest meanwhile noted “no member funds were transferred out of impacted members’ accounts” due to the unauthorised access attempts, though approximately 8,000 members may have had their personal details accessed, including first names, email addresses and member numbers.

Hostplus affirmed no financial losses had occurred, Insignia saw some 100 member accounts targeted on its Expand Platform with no financial impact, and ART likewise said “no suspicious transactions or changes” to its members’ accounts had been identified.

Cbus reported Monday night that it too experienced a cyber incident “several days after the reported attack impacting several other super funds”, and that it had “pro-actively deactivated” a small number of accounts under investigation.

“At this stage of our inquiries, there is no evidence that any financial losses have occurred for Cbus members,” read a company statement.

A Home Affairs departmental spokesperson told Information Age “all Australians should be alert to the possibility of criminals taking advantage of this incident” and encouraged people to set up strong, unique passphrases alongside multifactor authentication (MFA).

“The National Office of Cyber Security continues to work with agencies across the Australian Government, including with the financial system regulators, and with industry stakeholders to provide cybersecurity advice and coordinate the whole-of-government response to this incident,” they said.

A 'digital smash-and-grab'

Insignia said the attacks appeared to involve “a malicious third-party undertaking an activity known as credential stuffing”, which involves using already stolen credentials to conduct large-scale login attempts on target platforms.

“This isn’t some sophisticated espionage — it’s often just criminals armed with lists of stolen usernames and passwords from other breaches, trying them en masse across different websites,” Nalin Arachchilage, associate professor in cybersecurity at RMIT University, told Information Age.

“Think of it like someone walking down a street trying the same stolen key in every front door, hoping one opens.

“It’s a digital smash-and-grab.”

He added hackers rely on speed and volume for these attacks, hoping to exploit reused passwords before people change them or organisations “realise what's happening and shut the doors”.

“It’s fast, noisy, and effective, especially if basic defences aren’t in place,” he said.

Arachchilage further emphasised MFA as a “game-changer” in combatting credential-stuffing attacks, stating it adds an extra “lock” or layer of security to accounts that can “stop an attacker cold”.

Information Age understands both HostPlus and Insignia mandate MFA setup during account registration, while the Australian Financial Review found AustralianSuper – which reported the only member losses – has MFA to verify some transactions, but not for logging in.

“In 2025, not having MFA to protect something as critical as your retirement savings is like leaving your front door not just unlocked, but wide open,” said Arachchilage.

Wakeup call for superannuation sector

Grant Crough, founder and chief information security officer at technology management partner Leap Strategies, said the string of attacks should “absolutely be seen as an industry wake-up call”.

“The superannuation industry holds the retirement futures of millions of Australians,” he said.

“That kind of responsibility demands more than optional controls or best-effort protections.

“It requires enforced standards, better education, and greater accountability. Trust in these institutions is far too important to be left to chance.”

Arachchilage added “mandating MFA across all providers is a start” but stressed there was a wider “cyber maturity” problem for many superannuation providers.

“They manage billions of dollars on behalf of everyday Australians, yet some are still relying on outdated defences like firewalls and antivirus software as their first and only line of protection,” Arachchilage said.

“That’s no longer enough.”

Are your funds impacted?

At the time of writing there were only four known instances of financial losses from the attacks, all of which occurred at AustralianSuper.

The Australian Financial Review reported AustralianSuper has vowed to refund these impacted members, with company chief member officer Rose Kerlin stating remediations will be made from fund reserves.

"We have now thoroughly investigated the incidents in which money was transacted out of a member's account and all of those are being remediated," said Kerlin.

The fund had meanwhile temporarily restricted the ability for members to change their bank account or contact details.

AustralianSuper later said “if you see a reduction in your account balance you weren’t expecting, this does not immediately indicate fraudulent or suspicious activity on your account”.

The fund noted “global markets are experiencing more volatility than usual” largely due to geopolitical events and trade tariffs recently introduced under US President Donald Trump.

“It’s important to remember that market ups and downs are a normal part of investing,” said AustralianSuper.

“If you are concerned, check your transactions for any unusual activity.”

The Australian Prudential Regulation Authority (APRA) reportedly told all superannuation funds to report by midday Monday if they had been breached as part of the attack.

'A regular issue': Prime Minister responds

Prime Minister Anthony Albanese said Friday the government was “considering what had occurred” and would respond in time.

“There is an attack, a cyberattack, in Australia about every six minutes. This is a regular issue,” Albanese said.

Shadow Minister for Home Affairs and Cybersecurity Senator James Paterson meanwhile suggested the Albanese government did not realise how serious the incident was.

“It is extraordinary Anthony Albanese described the apparent theft of Australians’ retirement savings as just ‘a regular issue’,” he said.

“This is a major cyberattack with very real consequences for victims.”

Greens senator David Shoebridge added the superannuation sector is “on notice about serious cybersecurity issues”.

“We need to get serious about penalties for initial breaches so that there is a clear deterrent,” he said.

Albanese later emphasised “cybersecurity is a real issue” in a Monday press conference.

“My government has set up an Office of Cyber Security, we have provided additional funding for the Australian Signals Directorate, we've set up a roundtable, including with the private sector, to deal with these issues,” he said.

“Businesses need to do better [and] we need to work together on these issues because we know that there are criminal organisations, but also state actors, [which] have been involved in this.”

Treasurer Jim Chalmers added the government will “do what is necessary to make sure that super funds are safe” but that the government was not currently contemplating compensation for affected members.