cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Super fund hit by phishing attack, customer data exposed

This week, Spirit Super contacted almost 50,000 of its members following a data incident that has resulted in personal information becoming compromised.

user iconReporter
Tue, 31 May 2022
Super fund hit by phishing attack, customer data exposed
expand image

The Tasmanian-based super fund notified members of a "data incident where a staff member's email account was compromised".

In a statement on its website, Spirit Super further explained that the breach occurred on 19 May, which "had been detected quickly and contained". The company will continue investigating the incident after identifying that the attacker attained "unauthorised access to a mailbox containing personal data".

The company revealed that it appears no tax file numbers, driver's licence details or bank account details were stolen. The hacked mailbox contained names, addresses, ages, email addresses, phone numbers, super account numbers and the balances of Spirit Super members from the 2019-20 financial year, with about 50,000 of the fund's 330,000-odd total members potentially impacted.


Spirit Super has confirmed it has notified all the relevant authorities, including the Privacy Commissioner. It is now in the process of "reviewing all our data handling practices and staff training". The super fund is reviewing "account activity and placing enhanced controls on accounts" and has pledged to further strengthen its "IT security and reduce the risk of cyber incidents".

"Please be assured investigations to date indicate that accounts have not been compromised.

"Phishing attacks such as this are becoming increasingly sophisticated and common.

"Our investigation will continue," Spirit Super wrote on its website.

The super fund noted that this was "not the result of a material security control weakness or technology failure", further revealing that the staff member's password had been compromised after the malicious cyber attacker "overcome multi-factor authentication" using an email "posing as official correspondence".

"Spirit Super employs multi-factor authentication (MFA) in addition to a username and password to access our systems.

"The malicious emails resulted in a staff member's password being compromised.

"Unfortunately, this additional layer of protection was overcome by the attacker and the mailbox was accessed," Spirit Super stated on its website.

Following the merger of MTAA Super and Tasplan in 2021, Spirit Super was created. The super fund is Australia's eighth largest industry super fund by number of members, according to the Australian Prudential Regulation Authority.

"We have increased the levels of security to ensure our members' accounts remain safe," Spirit Super wrote.

[Related: Check Point hits global security prescribed Common Criteria certification]

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.