Keeping your super account secure

In the wake of recent cyber-attacks on several large Australian super funds, you might be wondering how to protect your retirement savings. These attacks compromised members' data and resulted in some people losing money from their accounts. Here's what happened and how you can help safeguard your super.

What happened?

The past few years have seen significant data breaches from well-known Australian companies outside of the superannuation sector, exposing a huge amount of consumer personal identity information. The cyber-attacks on superannuation funds reportedly used a technique called "credential stuffing" where cybercriminals used personal information stolen in previous data breaches (like email addresses and passwords) to attempt to access member accounts. 

The attacks were timed for the early hours of the morning when most account holders would be asleep and unlikely to notice suspicious login attempts or account changes, and targeted members in the pension drawdown phase who are able to request lump sum withdrawals.

Super funds responded by identifying and contacting affected members, with some funds temporarily restricting the ability to change bank and contact details through mobile apps or online accounts while addressing the incident. Other funds impacted by the attacks advised members to log into their accounts to check their details and update their passwords.

Most funds indicated that their member accounts and retirement savings were secure and that members had not lost any money following the attacks. One super fund revealed a small number of members had lost a combined $500,000 during the cyber-attack, but after investigating the incidents where money was transacted out of a member’s account, the fund said it would make remediations out of the fund’s reserves.

Practical steps to protect your super account

Protecting your super account is a partnership between you and your super fund. Here are some practical steps that you can take to help keep your super safe:

• Keep track of your super account: The best defence is regular monitoring. Check your balance periodically, verify employer contributions are coming through, review your insurance cover, examine your annual statement, and ensure your contact details are current. 
• Upgrade your passwords to passphrases: Never reuse passwords across different accounts. Instead, create a passphrase, which is a sentence or mix of four or more words that's easy for you to remember but difficult for others to guess. Include a combination of upper and lowercase letters, symbols and numbers, and aim for at least 14 characters. Avoid obvious choices like birth years, family names or hobbies that can be linked to you.
• Enable Multi-Factor Authentication (MFA): MFA adds an extra layer of protection by requiring two or more verification methods to access your account. This typically combines something you know (password/PIN), something you have (mobile device/security token), or something you are (fingerprint/facial recognition). Check if your super fund offers MFA and enable it if available.
• Protect your devices: Secure all devices you use to access your super account. Use strong passwords or passcodes, set up biometrics where possible, enable auto-lock when not in use, and activate "find your device" services so you can lock or wipe your device if it's stolen. 
• Be wary of unsolicited communications: Take your time to verify the identity of anyone contacting you unexpectedly. Don't click links in suspicious emails or texts. Instead, contact your fund directly using the official contact details from their website.
• Report suspicious activity: Alert your super fund immediately if something doesn’t seem right with your account or if you receive suspicious communications.

For additional resources, visit the Australian Government's cyber.gov.au website, which offers cybersecurity information in English and other languages. Your super fund may also provide specific security guidance.