Article Details

Retirement funds reportedly raided after unexplained portal probes and data theft. Australians checking their pensions are melting down call centres and websites. Australian retirement fund operators are scrambling after reports emerged of unauthorized access to customer accounts leading to theft of cash. Most Australian workers have retirement accounts thanks to a requirement that employers pay an 11.5 percent “superannuation” contribution on top of wages. The payments are made into “super funds” of a worker’s choice. Over 100 super funds compete for workers’ dough, usually by promoting the returns they generate and their easy-to-use apps and web portals that allow customers to control how their funds are invested. While competition among funds is good for consumers, it means super funds need to achieve infosec excellence to guard members’ balances - which collectively exceed AUD$4 trillion ($2.5 trillion) On Friday it emerged some super funds’ infosec has been tested, and found wanting. The peak body for super funds, the Association of Superannuation Funds of Australia (ASFA), on Friday said it is “aware that last weekend hackers attempted to get through the cyber-defenses of a number of superannuation funds.” ASFA added: “While the majority of the attempts were repelled, unfortunately a number of members were affected. Funds are contacting all affected members to let them know and are helping any whose data has been compromised.” A fund named “Rest” on Friday seemingly outed itself as one of the impacted orgs by telling members “Over the weekend of 29-30 March 2025, Rest became aware of some unauthorised activity on our online MemberAccess portal.” Rest continued: “We believe the impact of this incident has been limited to approximately 8,000 members who may have had some limited personal details accessed,” the fund advised members, before adding “No member funds were transferred out of impacted members’ accounts due to these unauthorised access attempts.” Local media reports suggest other funds have detected money was improperly withdrawn. One un-named fund apparently tried to fend off 600 attacks. It’s suggested crims gained access to accounts, perhaps by acquiring credentials from stolen data sold on the dark web, and then raided accounts in the small hours of Friday morning. That time of day was chosen as attempts to transfer funds from super accounts, or to reset account passwords, often trigger SMS messages to re-authenticate users or distribute on-time passwords. In Australia as elsewhere plenty of people silence their phones overnight so crims could have raided accounts under cover of darkness and silence. Superannuation funds are generally not accessible until account-holders turn 60, so if crims have managed to cash some accounts they’ve either compromised many victims and found some ripe for exploitation, or done some homework on who to target. The Register has checked the website of funds reported to have been hit in this wave of attacks and found most have posted notices warning customers of higher-than-usual levels of inquiries to call centers. Some funds’ websites are unresponsive, suggesting a flood of traffic from concerned customers. This is a developing story and The Register will update it as more information becomes available. Australia’s superannuation system last came to our attention in 2024 when Google Cloud deleted systems it ran for a fund called UniSuper.