Australia’s largest pension funds have been hit by a wave of coordinated cyberattacks, compromising more than 20,000 accounts and leading to significant financial losses for some members, including a reported theft of A$500,000 from four individuals.
According to a source familiar with the matter, hackers infiltrated multiple funds, including AustralianSuper, Australian Retirement Trust, Rest, Insignia, and Hostplus—some of the country’s biggest retirement savings institutions, managing a combined total of over A$873 billion.
AustralianSuper, which manages A$365 billion for 3.5 million members, confirmed that hackers accessed around 600 member accounts using stolen passwords. “We took immediate action to lock these accounts and notified affected members,” said Chief Member Officer Rose Kerlin, urging all users to check their online balances.
Rest Super reported the largest number of compromised accounts—about 20,000, or 1% of its 2 million members. CEO Vicki Doyle said the fund shut down its Member Access portal and activated cyber incident response protocols after detecting unauthorized activity over the weekend of March 29–30.
Australian Retirement Trust and Insignia Financial also confirmed detecting suspicious login attempts. Although neither fund reported financial losses at this stage, both locked affected accounts as a precaution.
Hostplus said no member funds had been lost but investigations were ongoing.
National Cyber Security Coordinator Michelle McGuinness said a whole-of-government response is underway, involving regulators and industry stakeholders. Prime Minister Anthony Albanese acknowledged the growing threat, noting that cyberattacks now occur “every six minutes” in Australia. Treasurer Jim Chalmers called the situation “very concerning,” while opposition cyber security spokesperson James Paterson urged funds to compensate affected members.
The breaches follow previous high-profile cyber incidents involving Medibank, Optus, and St Vincent’s Health. In response, the federal government last year pledged A$587 million to a seven-year national cybersecurity strategy.
