Data breach at Australian pension provider Spirit Super hits 50,000 victims following phishing attack

‘Super fund’ confirms that user information has been exposed

A phishing attack on Australian pension provider Spirit Super led to the compromise of “certain personal details”.

The “super fund” confirmed that user data was breached on May 19, 2022 after an employee’s email account was accessed.

An investigation into the incident found there had been “unauthorized access to a mailbox containing personal data” which includes names and other sensitive information. Spirit Super said around 50,000 people are affected.

Spirit Super manages $26 billion in funds on behalf of 325,000 members across Australia.

Exposed Data

A press release from the Tasmania-based company read: “The personal data that may have been compromised is similar to certain information provided in an annual statement, including names, addresses, ages (in 2019 and 2020), email addresses, phone numbers, member account numbers and member balances (in 2019 and 2020).

“It is important to note that this data DOES NOT include dates of birth, government identification numbers (such as tax file numbers or driver’s license details), or any bank account details.”

DO NOT MISS Volatile market for stolen credit card data rocked by Russia sanctions

Spirit Super said he did not believe the attack was targeted, but rather that it was “caught” in a widespread phishing campaign.

The super fund detailed: “In short, this was human error during a malicious email attack posing as official correspondence. It was not the result of a hardware weakness in the security check or a technology failure. The malicious email compromised a staff member’s password.”

The victim’s mailbox was compromised despite multi-factor authentication (MFA) being deployed, Spirit Super said.

“We have a skilled in-house team focused on cybersecurity and protecting your information,” he added. “This team detected the compromised account and acted quickly to contain and limit the impact of the breach. No other accounts or systems were impacted.

Security upgrade

Spirit Super said it was undertaking a thorough investigation to assess the impact of the incident, including reviewing account activity and implementing enhanced account controls.

Relevant authorities have been notified, including the Privacy Commissioner, and Spirit Super said it was taking “immediate precautions to further strengthen our IT security and reduce the risk of future cyber incidents.”

Learn about the latest data breach news

Anyone affected by the breach has been notified, Spirit Super said. Users who did not receive correspondence are not deemed to have been affected.

“We have no evidence to suggest that your information and the broader set of member data was intentionally accessed,” Spirit Super concluded.

“All we know is that the email account was compromised and in that mailbox this data was available. The attacker may not be aware of the data set.

“For this reason, we recommend that you limit any activity that could draw attention to your information’s inclusion in the dataset, such as posting to social media.”

YOU MIGHT ALSO LIKE DBIR 2022: Ransomware surge increases global data breach concerns

Comments are closed.