Work underway to protect super funds after $500,000 stolen from retiree accounts

It began quietly, with a few super members checking their accounts and sensing something was off. Balances were lower than expected, messages from their funds seemed delayed, and soon the scale of the problem became clear. Within days, four Australians had lost a combined $500,000 from their superannuation accounts—and the entire industry was on alert.

With more than $4.3 trillion sitting across all super funds, Australia’s retirement savings have become a tempting target for cyber criminals looking to cash in on vulnerabilities many never knew existed.

Australians worried about super security

A recent survey found that 64 per cent of respondents were worried about their fund’s security and wished it would be strengthened.

The concern isn’t unfounded—experts say scammers are constantly sharpening their tools, while the super sector races to stay one step ahead.

The Association of Superannuation Funds of Australia (ASFA), the peak body for the industry, has been quietly working on a large-scale cybersecurity project to protect members’ savings.

ASFA chief executive Mary Delahunty said the effort is designed to give funds a united front against future scams and fraud.

She added that the organisation has been working closely with government and regulators to make sure expectations are aligned: ‘We’ve learnt a lot from what’s worked in other sectors, especially banking, where the industry came together to share information about threats and coordinate their response.’

April super cyber attack sees Aussies lose $500,000

The industry was shaken in April when news broke that a major cyberattack had targeted several super funds.

Providers affected included Rest, Insignia and AustralianSuper, with four members believed to have lost half a million dollars in total during the coordinated assault.

Matt Warren, director of the RMIT Centre for Cyber Security Research and Innovation, said super accounts were an easy target because some did not require multi-factor authentication (MFA).

He explained that ‘the problem is superannuation funds were given two years to implement it, so the end date was in 2026’, and noted that some funds were still in transition when the attacks happened.

‘If this had happened next year, for instance, it might not have had the same impact,’ Warren said.

‘The only positive that will come out of this is it will actually speed up companies if they haven’t to implement multi-factor authentication.’

The Financial Services Council issued a directive last year requiring its superannuation members to make MFA compulsory, along with alternatives like biometrics or one-time passwords.

How the industry is responding

ASFA’s cybersecurity project aims to give funds access to shared, real-time threat intelligence and early warning systems—tools that can help stop cybercriminals before they strike.

Each fund is also investing in its own defences, strengthening authentication systems and tightening fraud monitoring. Delahunty said ensuring Australians’ money and data remain secure has always been taken ‘extremely seriously’.

What you can do to protect your super

While the industry builds stronger walls, everyday members still play an important role in protecting their savings.

Following the April attack, experts encouraged Australians to update their passwords and activate MFA if available.

The government’s MoneySmart website advises members to always use unique passwords for each platform. ‘Make sure your passwords are long and complex,’ it said.

‘Strong passwords make it harder for people to hack into your accounts.’

A safer future for members

Superannuation funds have long been one of the most valuable assets a person holds during their lifetime—and now they’re becoming one of the most heavily guarded.

The April breach has made cybersecurity a shared priority across the industry.

While funds continue to strengthen their defences, members can play their part by staying alert and following simple safety steps to keep their super secure.

Read next: Is your retirement fund safe? One Aussie lost $50,000 overnight

Key Takeaways

• A cyberattack in April 2025 targeted Rest, Insignia and AustralianSuper, with four Australians losing $500,000 in total.
• ASFA is leading an industry-wide project to strengthen cybersecurity through shared intelligence and coordinated response systems.
• Experts say delayed rollout of multi-factor authentication (MFA) left some funds vulnerable, with a 2026 compliance deadline.
• Members are urged to use unique passwords, enable MFA and remain alert for suspicious activity.

What steps have you taken to keep your super secure? Have you noticed new security measures at your fund lately? Share your experiences in the comments below.