AustralianSuper says cyberattack losses total $750k

AustralianSuper has confirmed of the 600 members who had their accounts accessed in the cyberattack earlier this month, 10 suffered a financial loss totalling $750,000.

"Our investigation into this criminal act found a total of 10 members had a combined $750,000 transferred out of their accounts, which were fully reimbursed this week," AustralianSuper said late Friday.

"These members have been offered expert and independent support through IDCARE, which provides tailored advice and assistance in cyber incidents. Chief member officer Rose Kerlin spoke directly to a number of these members [earlier this week].

"AustralianSuper's systems remained secure in this incident, but we acknowledge the distress it has caused and thank members for their ongoing patience as we continue to work directly with those affected."

AustralianSuper chief executive Paul Schroder said while criminals were able to access member accounts, the fund was not "hacked".

"I want to be clear that AustralianSuper was not hacked. Criminals used stolen passwords and personal identity information from other sources to access accounts to commit fraud," he said.

"Unlike other recent cyber incidents reported in the media over the last few years, cyber criminals did not access our systems."

At this stage, it appears AustralianSuper was the only super fund to have seen members suffer a financial loss.

A spokesperson for Rest confirmed to Financial Standard that while there was suspicious activity on member accounts, no money was lost.

"No money was transferred out of Rest member accounts as a result of this incident. We have contacted impacted members to provide support," the spokesperson said.

Hostplus also confirmed that no financial losses had occurred. Australian Retirement Trust has not provided an update since the cyberattack was made public on April 7 - though at the time the fund said it had not identified any suspicious transactions.

Speaking at an industry event, ASFA chief executive Mary Delahunty confirmed the incident was being investigated by police and government authorities.

"We can say that cyber criminals undertook a coordinated, well-funded and sophisticated attack, attempting to access the retirement funds of Australians using stolen / approximated email addresses and passwords to log in - a process known as credential stuffing," Delahunty said,

"The superannuation sector is taking this extremely seriously, as we should.  Australians place enormous trust in the super system and rightly expect that their retirement savings will be safe and protected. When that trust is tested, it must be taken seriously."