πŸ”’breach.co.nz Β· the NZ & Australia breach register πŸ›‘οΈ A Govern service
Register β€Ί πŸ‡¦πŸ‡Ί AU β€Ί Finance

Australian superannuation funds (coordinated attack)

πŸ‡¦πŸ‡Ί Australia Β· AustralianSuper, Rest and other funds Β· Record AU-2025-0099
β—‹ Reported β€” awaiting official confirmation
Reported β€” awaiting official confirmation. The facts below are drawn from the organisation's own disclosure and credible reporting. Figures are as reported; unknowns are labelled, not estimated by us.
People affected
Not disclosed
Breach date
2025-03
Regulator
ASIC / APRA (engaged)
Trust tier
B Β· Reported

Data exposed

Member account access via credential stuffing; some funds reportedly withdrawn (~$500k reported) Media-reported

Confidence: Confirmed = regulator/court Β· Company-confirmed = the organisation's own disclosure Β· Media-reported = press. Figures without an official source are labelled, not estimated.

What happened

In early 2025 several Australian superannuation funds β€” including AustralianSuper and Rest β€” were hit by a coordinated credential-stuffing campaign, in which attackers used stolen passwords to access member accounts; a reported ~A$500,000 was withdrawn from a number of accounts before the funds locked access [sbs-super] [cyberdaily-super]. The number of members affected was not officially quantified and is not estimated here.

Timeline

  • 2025-03/04 β€” Coordinated attack on multiple super funds disclosed; some funds withdrawn [sbs-super].

Current status

Disclosed; funds tightened access controls and regulators engaged. Figures are as reported. [cyberdaily-super]

Why it matters

A reminder that reused passwords β€” not a fund’s own systems β€” can expose retirement savings, and that one campaign can hit an entire sector at once.

GGOVERN Tabletop Exercises Β· Govern house Rehearse the breach before it reaches the balance sheet. Book a Discovery Call β†’