Following a cyber attack at $15 billion fund NGS Super earlier this year, a South Australian super fund has now reported a cyber-related incident that may have affected some 14,011 members.
On 17 October, Super SA announced it was aware of a specific cohort who may have been impacted by a cyber security incident involving a former third-party service provider to Super SA and other South Australian government agencies.
The $36 billion fund for South Australian public sector workers confirmed to Super Review the third party was a local company, not based overseas.
“The third-party provider was a call centre that had been contracted by Super SA to field inquiries from members affected by a separate 2019 breach,” the fund stated.
“None of the data held by the third-party provider contains information post-2020.”
As of 19 October, it did not believe Super SA data had been accessed, though it was continuing to monitor the situation.
“We can assure you that the security of member funds and our core operations have not been impacted,” the fund said.
“We are taking an abundance of caution to secure member accounts in the acknowledgment that the data has been breached.”
The fund is understood to have corresponded with impacted members through email or letter and, since being made aware of the incident, it has added additional security measures to the affected member accounts, whilst other government agencies awaited the decryption of their data.
The fund said: “Super SA has many safeguards in place to protect your personal information, from your contact details to your account balance. We actively monitor for signs of suspicious activity as part of our ongoing compliance obligations and to date, there is no indication of suspicious activity.
“However, since we were made aware of the threat by the external provider, we have also heightened our ID theft monitoring and controls for those who may be impacted.”
In the first quarter of 2023, industry super fund NGS Super had also revealed it fell victim to a cyber attack. It resulted in limited data being taken from its systems, though no super savings were affected.
Reflecting on the incident, the fund’s chief executive, Natalie Previtera, told Super Review: “I was the chief risk officer at NGS Super prior to becoming acting chief executive, and if anyone were to ask me the risk that kept me up at night, it would be a cyber attack.
“In this day and age, it was a matter of when, unfortunately, and not if.”
Regarding the fund’s decision to publicly announce the cyber attack, Previtera said transparency was key.
“We wanted to help members, and if that meant publicly disclosing this on the website, then absolutely, because we could get to members sooner or in a different way if they weren’t opening their emails or checking correspondence from us. It was a no-brainer for us to say, ‘We’re going to be transparent and we’re willing to let members know publicly’,” she said.
“Our size was a real strength in this. We were able to work really hard in those first few days to determine exactly what was taken and arm members with the right information. We wrote to all members, irrespective of whether they had been impacted, and followed up with more tailored correspondence.
“As a third step, for as many members as we could, we had our team making proactive phone calls. That’s down to the personalised service and intimacy we have with our members. In that situation, we leaned into our strengths.”
Since the cyber attack, she said NGS Super had not witnessed any significant change in member numbers.
Super funds had a “tremendous month” in November, according to new data.
Australia faces a decade of deficits, with the sum of deficits over the next four years expected to overshoot forecasts by $21.8 billion.
APRA has raised an alarm about gaps in how superannuation trustees are managing the risks associated with unlisted assets, after releasing the findings of its latest review.
Compared to how funds were allocated to March this year, industry super funds have slightly decreased their allocation to infrastructure in the six months to September – dropping from 11 per cent to 10.6 per cent, according to the latest APRA data.