Hackers strike Australia's largest pension funds in coordinated attacks
43 comments
·April 4, 2025trollbridge
throw10920
This level of rigor should be the standard for every financial institution, and those that handle things that consumers consider valuable (such as their personal data).
Or, at the very least, consumers/clients should have the ability to opt in to this kind of paranoia, without meaningless sacrifices of convenience. Those of us in the US can't.
Henchman21
Instead we get banks that refuse to even police their own systems. We get bank fraud relabeled as “identity theft”.
On the one hand I didn’t vote for Trump, don’t want any of what he’s doing to happen. At all.
But on the other hand I’d be happy to light the match that sets alight the house of cards thats been built. Everything about life in the US seems like its built on a foundation of lies.
In my frustration, I may have digressed a bit :)
01HNNWZ0MV43FF
[flagged]
h4ck_th3_pl4n3t
Unironically best opsec I've read about in a while.
In times of Deepfakes, people really underestimate the level of fakes they can receive. I've seen companies getting scammed with spoofed phone calls where they didn't have a policy to call back to prevent numbers being spoofed etc. Most of the private data is available online, so you always have to assume that e.g. a workflow via email or phone can be malicious by default.
In an alternate reality M$ Outlook would be a product for the receivers of email, and not a business product for spammers.
seb1204
It irritates me to read that people have lost their pension. Surely this should read, the pension fund has lost their pension due to "it safely breach"? If a bank gets robbed they don't steal my money but the banks right?
Khaine
Information on the attack is scarce, but it sounds like attackers obtained credentials from prior breaches and used them against super funds. It is shameful that many of these funds have not yet implemented MFA in this day and age, but it's not like the actual fund got compromised.
Obviously, information at the moment is very light so this understanding may change, but this is the current position.
Gigachad
The article didn’t seem to explain how the money was taken. I’m a member of one of the listed affected super funds and all my money is still there.
Most plausible explanation seems to be phishing and scams rather than a technical hack.
creata
An ABC (Australian Broadcasting Corporation) article says credential stuffing.
https://www.abc.net.au/news/2025-04-04/drt-how-superfunds-we...
lenerdenator
They've effectively lost their pension, have they not?
The money's gone, and the people that the retirees entrusted with the money, lost it.
ta1243
Obligitary Mitchell and Webb sketch
taberiand
I suppose it depends if it's worse than reported currently, but it seems to me that with only 600 accounts losing an average of ~$800 each (and I'm going to go out on a limb and assume the users had poor password security), the fast detection and the immediate action to lock it down, there was a good and effective response by the companies attacked
Cyphase
> it seems to me that with only 600 accounts losing an average of ~$800 each
From the article:
> AustralianSuper, the country's largest fund managing A$365 billion for 3.5 million members, said that up to 600 member passwords had been stolen to access accounts and attempt fraud.
> Four AustralianSuper members had a combined A$500,000 drained from their balances and transferred to other accounts that did not belong to them, according to the source, who was not authorised to speak publicly about the matter.
It's not completely clear if 600 passwords were "stolen" but only four accounts had any money transferred, or if there are more accounts at that fund that had money transferred.
And that's just one fund.
> Rest Super, the default industry pension fund for retail workers, with A$93 billion of assets under management, said it suffered an attack that impacted around 20,000 accounts, or around 1% of its 2 million members.
taberiand
Oh you're right, I misread. That's much worse for those 4 people but still not too bad (so far)
johnisgood
How could they really use the money anyways even if they transfer it to another account? I don't know how one could get away with it. Follow the money!
rmm
Our company was scammed (invoice scam) and talking to police it’s actually easy. They transfer it to another local bank account (normally stolen), then immediately transfer it overseas. At that point it’s more or less gone.
johnisgood
Damn, and there is nothing to be done after the transfer to overseas? They would be able to figure out who the perpetrator is, right?
blitzar
For most people (pre retirement age) the funds are locked in a trust they can barely access themselves. I presume (big if) that those that lost money were retired and payment details for their monthly income was changed to pay to the bad guys accounts.
worthless-trash
This was exactly my thoughts, how exactly can the 'bad guys' access it, when people who may need it cant ?
dbetteridge
Tries to turn on mfa for my super-fund
Options (sms or email)
I wonder how this could have happened...
IronCoder1
This breach reinforces the importance of robust security measures, particularly for sensitive financial data. Pension funds must prioritize investing in state-of-the-art cybersecurity defenses and incident response plans. Transparent communication with affected individuals is crucial to maintain trust and mitigate potential harm. Swift action is needed to prevent future attacks.
NatalieKrylova
[dead]
damhsa
the amount lost is insignificant compared to that lost to wage theft, inflation, rent, interest -- forms of capital expansion
https://en.wikisource.org/wiki/Manifesto_of_the_Communist_Pa...
Nearly every one of my clients have been invoice scammed. The amounts are typically five figures.
When we onboard a new customer, I send a packet with payment information including how to direct deposit. It has this information:
- Our routing/account number. We sweep the funds out of this account nearly instantly once the deposits are made. The bank account’s purpose is to accept direct deposits and nothing else. The account number we transmit over the phone so at least it’s less likely to end up sitting in a (compromised) e-mail box.
- Our mailing address, which is a PO Box.
- Some information on invoice scams, including an offer to review any suspicious requests free of charge. A customer takes us up on this every few months… so far we have yet to see one legitimate one.
- A warning to never, ever accept changes for our payment information or mailing address unless told to do so in person by an officer of the company, with a list of the current officers.
- If in doubt, mail a check to the PO Box instead of direct deposit.
- A warning not to trust information sent via email, fax, phone calls (voice changers are a real thing), or from an employee/officer other than the one they usually interact with, and such a change must be confirmed with a phone call to a different officer.
- A recommendation to also contact our local credit union (where we deposit payments from our customers) if they feel something is suspicious.
- We have an internal rule that any change to bank accounts requires a meeting of 3 officers, in person or over the Google Meet we normally use for video calls (no phone calls) with meeting minutes conducted for the change. The change must be unanimous and the change can’t be put in for 30 days unless an emergency. Emergencies must be coordinated with a responsible person at the bank, in person. (Sorry, but this means no fintech etc. type of banks.) We recommend our customers to do the same.
The biggest liability is that it would be hard for us to change bank accounts.
We get an attempt on an invoice scam or otherwise every few weeks. So far we haven’t lost a penny of company funds due to fraud.