58pc of super funds ‘leaving door open to hackers’

Hackers infiltrated some of Australia’s biggest industry super funds last month following repeated warnings from financial and corporate regulators that their digital defences weren’t up to scratch.

Criminals siphoned at least $700,000 from AustralianSuper members’ accounts alone. Now Proofpoint, a leading cybersecurity and compliance company, says 58 per cent of funds are still failing behind on “basic cybersecurity measures”.

The lax attitude comes after Anthony Albanese appeared unbothered by the attack, saying hacks happen “all the time”. Home Affairs Minister Tony Burke was also nonplussed, while there was initial confusion whether the Australian Federal Police or Victoria Police was investigating the hack.

Proofpoint senior director of its advanced technology group for Asia Pacific and Japan, Steve Moros, said the company analysed 88 Australian super funds.

The report — based on a domain-based message authentication, reporting and conformance (DMARC) analysis — found poor cybersecurity measures were continuing to expose Australians to email fraud.

DMARC is an email validation protocol designed to protect domain names from being misused by cyber criminals, authenticating sender’s identities before allowing a message to reach its intended destination.

It has three levels of protection: monitor, quarantine and reject. Reject is the most secure for preventing suspicious emails from ever reaching an inbox and Mr Moros said only 42 per cent of super funds had implemented that feature.

But he said more alarming was that 8 per cent of funds failed to adopt any DMARC protection, effectively opening their doors to hackers.

“Australian superannuation funds hold the financial futures of millions of everyday Australians, yet our research reveals 58 per cent are failing to implement basic email security protocols,” Mr Moros said.

“This security gap creates a dangerous opening for cybercriminals who specifically target these data-rich organisations. The recent breach resulting in over $500,000 in losses demonstrates these threats aren’t theoretical and, in fact, regular occurrences growing in volume.

“They’re actively impacting Australians’ retirement savings. While resource constraints are understandable, implementing robust DMARC protection isn’t optional in today’s threat landscape — it’s essential infrastructure that stands between members’ life savings, their privacy and increasingly sophisticated fraud campaigns targeting these critical financial institutions.”

Of the 88 funds, only 27 per cent applied monitor under DMARC and 23 per cent used quarantine.

If super funds were failing to protect accounts, Mr Moros urged Australians to be vigilant of their own security by checking the validity of all email communication and be aware of potentially fraudulent emails impersonating colleagues, suppliers, and stakeholders.

He also said people must be cautious of any communication attempts that request log-in credentials or threaten to suspend service or an account if a link isn’t clicked, as well as adopt phishing-resistant multifactor authentication, such as passkeys.

Proofpoint’s warning follows Verizon regional vice-president Rob Le Busque saying too many companies treated cybersecurity as a tick-a-box compliance exercise rather than a serious threat akin to a bank robbery.

“The analogy we sometimes use is you can’t afford to leave even one window open on your house because even the smallest entry point can create a really significant issue for you,” Mr Le Busque said.

“I was talking to a colleague … whose mother was a bank teller in the ’70s. They would be sent to the shooting range twice a year. They had to qualify to hold a handgun in the branch. And then they introduced better protections and screens.

“It’s that mindset, or thinking about that same approach when it comes to cyber – not just compliance … thinking about those firm protective measures that you can put in place that harden your cyber security and your overall posture.”

But super funds have shown they can move quickly if they want to. A fund caught in the attack called Titanium Ventures-backed Cequence Security soon after the breach to install their artificial intelligence-powered cyber defence platform. The process, which would normally take about three months to complete, was performed within a day.

Cequence Asia Pacific and Japan manager Glen Maloney was confident had the system been installed earlier it could have prevented last week’s attack, which was most likely the work of AI-powered bots.

“The bad guys are getting smarter and using automation. They’ve got advanced AI and ‘bot as a service’ platforms that they can use against us. But what we’re really focusing on is the ability to use AI to understand that application,” Mr Maloney said.

This article first appeared in The Australian.