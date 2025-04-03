Newspaper icon
The super fund scouring the dark web to protect members

BY ANDREW MCKEAN  |  THURSDAY, 3 APR 2025   12:38PM

A compromised identity could result in financial harm, including the loss of superannuation savings, a particularly prominent risk given the volume of members' personal data available for sale. This super fund is fighting back with a novel approach.

The dark web market is booming, tipped to reach US$1.3 billion by 2028. On it, identity kits that include passports, bank logins, and access to social media accounts are being sold at a low cost.

Commonwealth Superannuation Corporation (CSC) is digging through the dark web to identify potential breaches involving its members - many of whom are "sensitive" personnel in the government and Australian defence force - and is contacting affected individuals to let them know what data is out there and what actions they need to take.

CSC chief information security officer Daminda Kumara told Financial Standard that the dark web data spike took off after the pandemic, likely due to greater technology reliance by organisations, which criminals were quick to exploit.

While not a unique problem to superannuation, Kumara mooted that the industry may have drawn more attention from cybercriminals over the past year because of the reports spruiking the success and scale of Australia's $4 trillion retirement savings pool.

The large volume of articles touting the size and success of the superannuation industry could attract untoward attention. Although the sector takes pride in its achievements, from a practitioner's perspective, it may be more prudent to maintain a lower profile.

CSC began strengthening its cybersecurity posture several years ago, increasing its investment while also developing a strategy and roadmap to drive organisational maturity.

As part of that process, the fund implemented a requirement to proactively monitor and measure whether employee data appeared in public repositories, including the dark web.

However, the fund's analysis revealed that much of the data being flagged wasn't related to internal staff, but instead related to member information. And so, recognising its broader applicability, it extended this capability to members, framing it as an additional service.

"When we started discovering member information... we started questioning if customer information was exposed as a result of their own systems - not through CSC. As [security] practitioners, we thought we've got some data, someone has an issue, and it's our responsibility to tell them because they're our customers," Kumara said.

"For us, it's not just about managing super; we're also focused on looking after our customers safety and wellbeing in the digital world. We proactively decided to reach out to these customers through our contact centre staff and say, 'Hey, we've seen something...'

On average, the fund detects over 100 cases a year and has found that members typically respond positively to the proactive outreach, appreciating the effort to inform them.

"While the superannuation sector has seen increasing cyber activity, threat intelligence experts caution that the industry's profile could rapidly rise among cybercriminals. The sheer volume of financial data held by these funds makes them an inherently attractive target, and any perceived vulnerability could trigger a surge in attacks," Kumara said.

According to cybersecurity research firm Privacy Affairs, hacked Australian credit card details with a CVV sell for an average of US$23 as of 2023. A NSW driver's licence, meanwhile, fetched about US$40 that year, down from an average price of US$150 in 2022.

