Australia’s Leading Pension Funds Are Targeted in Coordinated Cyberattacks

• A series of coordinated cyberattacks has targeted several of Australia’s largest pension funds.
• The breaches exposed thousands of user accounts and resulted in significant financial losses in some cases.
• AustralianSuper, Australian Retirement Trust, and Rest Super are among the targets.

Australia’s largest pension funds were hit by cyberattacks that compromised more than 20,000 accounts. This marks one of the largest security breaches in the country’s retirement savings sector, which manages assets worth AU $4.2 trillion ($2.63 trillion).

AustralianSuper confirmed that hackers accessed up to 600 member accounts by stealing passwords. Fraudulent transactions drained a combined AU $500,000 from at least four accounts, transferring the funds to destinations that did not belong to the account holders, according to a Reuters report.

AustralianSuper quickly locked affected accounts and urged all members to check their balances for irregularities.

Australian Retirement Trust, the second-largest fund managing AU $300 billion in assets, detected unusual login activity in several hundred accounts. No financial losses or unauthorized changes were reported, but the fund locked impacted accounts as a preventive measure.

Rest Super, managing AU $93 billion and primarily serving retail workers, suffered a breach affecting approximately 20,000 accounts, amounting to 1% of its total membership. Rest became aware of unauthorized activity on the Member Access portal over the weekend of 29-30 March 2025. 

Other pension funds, including Insignia Financial and Hostplus, also reported attempted cyber intrusions but confirmed that member accounts had suffered no financial losses to date. Investigations are ongoing, with measures being taken to identify vulnerabilities.

National Cyber Security announced that the government, regulatory bodies, and industry players were working together to respond to the attacks, aware of cybercriminals targeting the retirement savings sector. 

However, the exact number of affected funds and members remains unclear, while the attackers remain unknown.

This is not the first time Australia has faced high-profile cybersecurity threats. Recent breaches targeted Medibank, St Vincent’s Health, IFV giant Genea, and telecom giant Optus, while 2024 was marked by the Northern Minerals data breach. 

The Australian government allocated AU $587 million in 2023 to implement a seven-year cybersecurity strategy aimed at enhancing resilience for citizens, businesses, and government agencies.