As many as 50,000 members of Tasmanian-based industry super fund Spirit Super may have had their sensitive personal information compromised after a phishing attack earlier this month.
Spirit Super, which was created by the merger of MTAA Super and Tasplan last year, revealed on Friday that a “data incident where a staff member’s email account was compromised” occurred on May 19.
It said that although the breach was detected quickly and “contained”, continuing investigations had revealed the attacker gained “unauthorised access to a mailbox containing personal data”.
The mailbox contained names, addresses, ages, email addresses, phone numbers, super account numbers and the balances of members from the 2019-20 financial year. No tax file numbers, driver’s licence details or bank account details are said to have been stolen.
Approximately 50,000 of the fund’s 330,000-odd total members have been potentially impacted, though Spirit Super stressed there is currently no evidence that compronise had occured.
“Please be assured investigations to date indicate that accounts have not been compromised,” it said in a note on its website.
“We have increased the levels of security to ensure our members’ accounts remain safe. Our investigation will continue.”
Spirit Super said the attacker, who used an email “posing as official correspondence”, was able to overcome multi-factor authentication to compromise the staff members password.
“This was not the result of a material security control weakness or technology failure. The malicious emails resulted in a staff member’s password being compromised,” it said.
“Spirit Super employs multifactor authentication (MFA) in addition to a username and password to access our systems.
“Unfortunately, this additional layer of protection was overcome by the attacker and the mailbox was accessed. Phishing attacks such as this are becoming increasingly sophisticated and common.”
Spirit Super said it had notified all relevant authorities, including the Privacy Commissioner, and was in the process of “reviewing all our data handling practices and staff training”.
It is also continuing to review “account activity and placing enhanced controls on accounts” and further strengthening its “IT security and reduce the risk of cyber incidents”.
Spirit Super is Australia's eighth largest industry super fund by number of members, according to the Australian Prudential Regulation Authority.
