Vulnerabilities in superannuation member data collection, storage and protection

01 Feb, 2023

Vulnerabilities in member data collection, storage and protection in superannuation

When data is collected, protected, stored or shared; businesses, government departments and individuals all face similar challenges. In the superannuation sector specifically, there are risks of confidentiality and privacy breaches, in addition to the risk of violation of other legitimate private interests.

Australia’s $2.9 trillion superannuation system is certainly very appealing to cyber criminals looking for targets to attack. This means consistent cybersecurity controls must be implemented across all funds and sectors.

In 2021, The Gateway Network Governance Body, an agency responsible for overseeing Australia’s superannuation transaction network, encouraged super funds to introduce more efficient information sharing, and adopt preventive cyber tools throughout the super ecosystem. Nevertheless, data breaches and attacks can still occur due to human error, even when security controls are in place.

Types of superannuation data vulnerabilities

There are many cyber threats that can attack the super ecosystem, often leading to urgent action being required. The most common of these include identity theft, malware and ransomware, in addition to phishing emails. These threats are all showing signs of advancement with an increase in sophistication, which is certainly an increasing cause for vigilance and action.

For example, email is proving to still be a popular way for cybercriminals to attack – 74.1% of all threats blocked in 2021 were via email. Likewise, research from the FBI’s Internet Crime Complaint Center (IC3) found “an unprecedented increase in cyberattacks and malicious cyber activity”, as published in their 2021 Internet Crime Report, as business email vulnerabilities continue being a primary source of attack.

Vulnerabilities include unpatched software, open ports and weak access controls that are regularly exploited by cybercriminals. In doing this, they can then access systems that possess sensitive data, while gaining unauthorised access to superannuation member accounts, ultimately resulting in the ability for these criminals to make fraudulent requests.

The ACSC reported that the majority of tactics employed by cybercriminals to exploit sensitive financial and personal data can be alleviated by implementing measures such as ignoring unsolicited text messages and emails, as well as adopting stronger company-wide authentication and data governance practices.

Australian data breaches in 2022

There were 24 large-scale data breaches in Australia between Jan and June 2022, as reported by the OAIC. Contact and identity information is the most common data involved in breaches and companies who have had their data breached must report incidents to the OAIC as soon as possible.

Below we will take a look at two prominent breaches that have occurred throughout 2022:

Spirit Super privacy data breach

In May 2022, the data of 50,000 Spirit Super customers was potentially compromised due to a phishing attack. The company swiftly responded, and acknowledged that the breach was instigated after an incident where a staff member’s email account was compromised.

The cyber-attacker gained authorised access to an mailbox containing personal data, including the addresses, ages, names, phone numbers and balances of members from the 2019-20 financial year. It was noted that there were no driver’s licence, bank or tax file details said to have been compromised.

The attacker was able to overcome multi-factor authentication by creating official correspondence which compromised a staff member’s password. The mailbox was then accessed by the attacker, although there was no evidence of additional accounts being attacked.

Medibank data breach

On December 1, 2022, cybercriminals posted a file on the dark web that included the data of all customers from Medibank Private. It was believed that more than 6GB worth of data was posted, as a result of Medibank refusing to pay a significant ransom of $15 million.

The hackers originally emerged at the beginning of November, after publishing the addresses, names and birthdates of Medibank Private customers on the dark web.

The Office of the Australian Information Commissioner (OAIC) has since launched an investigation into the personal information handling practices of Medibank regarding the breach, focusing on Medibank’s approach to the protection of their customers’ personal information.

Minimise the risk of a data breach

With malicious or criminal attacks being the leading cause of data breaches, it becomes even more important to build awareness around the potential for cyber attacks. Knowing what data breaches are and how to prevent them is the first and most important step in avoiding them.

Managing the after-effects of a data breach can have a significant impact upon a company’s reputation and bottom line. The Australian Cyber Security Centre (ACSC) publishes valuable information on how to mitigate data breaches for businesses. If your organisation needs personalised assistance defining strategy for customer data protection, storage and collection, reach out to the team at 9Yards for expert advice.