The spate of cyberattacks targeting major Australian superannuation funds has laid bare a "critical vulnerability" in the sector's defences, according to financial services cybersecurity consultancy firm Software@Scale.

The attacks, which have so far resulted in at least $500,000 in confirmed financial losses and the compromise of thousands of members' information, highlights a "worrying trend," the firm said.

Software@Scale chief executive Louis Droguett explained that the attacks weren't about breaching firewalls; they exploited compromised member details - "a clear blind spot" in the cybersecurity landscape.

"This isn't a failure of multi-factor authentication (MFA) or firewalls, it's a failure to detect what's already leaked. Our team regularly monitors malware logs collected from info-stealer campaigns and finds that most enterprises are comprised with significant risk without awareness," Droguett said.

Droguett also claimed that "the threat was visible but not acted upon," highlighting the "critical need" for proactive dark web monitoring, as knowing when member credentials are compromised allows funds to take immediate action before attackers can exploit them.

Commonwealth Superannuation Corporation recently told Financial Standard how it is actively monitoring the dark web for potential exposures involving its members - including cyber breaches from their own systems - warning that the volume of financial data held by the industry makes it an attractive target, and that any perceived vulnerability could trigger a surge in attacks.

In light of the breaches, Droguett urged super funds to invest in dark web and credential exposure monitoring, arguing that the industry must move beyond perimeter defences and adopt proactive threat intelligence to stay ahead of the curve.

He also called for a shift in thinking, saying cyber resilience should be treated as a shared responsibility, with individual member account vulnerabilities now posing a systemic risk to the broader superannuation sector.

Lastly, he said funds must ensure their incident response capabilities are robust and well-tested, enabling them to quickly contain credential-based attacks and communicate effectively with members. Swift and decisive action, he added, is crucial to maintaining public trust, noting this recent attack wasn't just an attack on individual funds but the whole system.

Super Consumers Australia (SCA) also condemned the superannuation industry's handling of cybersecurity, describing the recent attacks as "shocking and unsettling."

The advocacy group said the breaches came despite repeated warnings from regulators that the sector is lagging on cyber-resilience, fraud, and scam protections.

SCA chief executive Xavier O'Halloran said that given Australians are legally required to put their money into super, the news of the attacks is chilling, particularly when "we know" super funds aren't doing enough to protect people's retirement savings.

"When something goes wrong, too many people are being left without support, answers, or access to their own money," O'Halloran said.

"The super system has no excuse to be unprepared. It's time to meet community expectations and protect people's money when it matters most."

Following its initial announcement, AustralianSuper issued a further update over the weekend confirming it had locked impacted member accounts and, where possible, notified those affected via SMS or email.

The fund also introduced additional security controls across all member accounts, temporarily disabling certain functions in its mobile app and online portal, including the ability to update bank account or contact details.

"We regret the inconvenience this will cause some members," AustralianSuper said.

Australian Retirement Trust (ART), which has yet to confirm to Financial Standard how many members were affected, also issued an update over the weekend, acknowledging member concerns.

"We know there's a lot going on at the moment that could lead you to be concerned about your super. And that's completely understandable," the fund said.

"The most important thing we can tell you is that ART is effectively managing the recent cyber events of the kind that have been happening to super funds.

"No suspicious transactions or changes to our members' account have been identified."

Hostplus chief executive David Elia, likewise, updated members over the weekend to say that understandably media reports regarding cyber incident affecting super funds have caused concern. However, he said the fund's experience of the event had been different in both nature and impact to what's been reported.

"We acknowledge that a spike in suspicious activity was recorded by the fund over recent days, however we believe that the strong security safeguards we have in place, including MFA and Web Application Firewall, combined with heightened monitoring protocols have helped mitigate any impacts," he said.

"We continue to work closely with cybersecurity experts and relevant authorities and remain on high alert, with enhanced monitoring and protective measures in place. I will provide a further update should additional information become available, or the situation evolves."

Financial Standard understands ASIC and APRA are engaging with all potentially impacted super funds to support safe outcomes for members. APRA is also working closely with trustees who've reported issues to ensure members' financial interests are protected.