Clients ‘still under attack’: What to learn from super fund breach

Super funds may have been the target of the most recent Australian cyber security breach, but the threat is not confined to super trustees or members, and advisers have a role to play in protecting their clients.

The method the cyber criminals used to target a raft of super funds was what’s known as “credential stuffing”, which The Cyber Collective founder Fraser Jack explained on LinkedIn is simply a “numbers game”.

“This method involves using stolen usernames and passwords from previous data breaches to gain unauthorised access to accounts,” Jack said.

“People often fail to update their super and investment login credentials and still reuse passwords that are easy to remember. These passwords might also be used for their online shopping or apps they downloaded.

“Anyone can purchase lists of email addresses and passwords that have been previously stolen from multiple apps. With automation and AI, these lists can be used 24/7 to search thousands of standard logins looking to gain access to finances or more information to scam people out of money.”

The losses that AustralianSuper has since refunded number somewhere around $500,000, but it isn’t just the monetary loss that has hit the funds.

As cyber security specialist Louis Droguett, the chief executive of Australian software firm Software@Scale, told ifa sister brand Cyber Daily in the wake of the news, that this wasn’t just an attack on individual funds, “it was an attack on the public’s trust in the superannuation system”.

“The industry needs to move beyond traditional security measures and adopt a collaborative approach to combating external threats. We need shared threat intelligence, playbooks, and proactive tooling to tackle credential-based attacks before they succeed,” Droguett said.

What can advisers do to protect clients?

According to Jack, advisers can do more for clients than simply ensuring that their own set-ups are secure, arguing that not only are clients “safer in an ongoing advice relationship”, it’s also “yet another reason why clients should be paying your fees”.

Advisers and clients need to learn from the super fund breach, he noted, and understand the threat is an ongoing one.

“The reality is they are still under attack, and will be forever, as long as there is money in the system, someone will be trying to get it,” Jack said.

He added: “Focus on taking the learnings and applying them to ‘next time’, because there will be a next time.”

Jack also offered some advice for how advisers can work cyber security conversations into their client meetings:

1. Ensure your clients have long, strong, and unique passwords for all their investments. “Diversify their passwords!”
2. Multi-factor authentication process for transactions, not just MFA on the technology, but in the processes of your firm. Calling clients to double-check, making sure they call you to confirm, not just email.
3. No more “set-and-forget” strategies for the security of your client’s money; each review meeting should include an additional measure, like updating passwords or a more regular review of security. You get what you pay for, and you can use this conversation when clients want “cheaper” fees.

“The more you talk to your clients (and each other), the safer they will be from attacks like this in the future,” he added.