A phishing attack at Australian pension provider Spirit Super has resulted in “some personal details being compromised”.
The ‘super fund’ confirmed that user data was breached on May 19, 2022 after an employee’s email account was accessed.
An investigation into the incident found that there was “unauthorized access to a mailbox containing personal data” that includes names and other sensitive information. Spirit Super said approximately 50,000 individuals are affected.
Spirit Super manages $26 billion worth of funds on behalf of 325,000 members across Australia.
Exposed data
A press release from the Tasmanian-based company reads: “The personal data that may have been compromised is similar to some information provided in an annual statement, including names, addresses, ages (as at 2019 and 2020), email addresses, telephone numbers, member account numbers, and member balances (as at 2019 and 2020).
“It is important to note that this data DOES NOT include dates of birth, government identification numbers (such as tax file numbers or driver’s license details), or any bank account details.”
Spirit Super said it does not believe the attack was targeted, rather that it was “caught up” in a widespread phishing campaign.
The super fund detailed: “In short it was human error during a malicious email attack posing as official correspondence. This was not the result of a material security control weakness or technology failure. The malicious email resulted in a staff member’s password being compromised.”
The victim’s mailbox was compromised despite the deployment of multi-factor authentication (MFA), said Spirit Super.
“We have a skilled internal team focused on cybersecurity and protecting your information,” it added. “This team detected the compromised account and acted quickly to contain and limit the impact of the breach. No further accounts or systems were impacted.”
Security upgrade
Spirit Super said it is undertaking a thorough investigation to assess the impact of the incident, including reviewing account activity and placing enhanced controls on accounts.
Relevant authorities have been notified, including the Privacy Commissioner, and Spirit Super said it is taking “immediate precautions to further strengthen our IT security and reduce future risks of cyber incidents”.
Anyone affected by the breach has been notified, said Spirit Super. Users who have not received correspondence are not believed to have been impacted.
“We have no evidence to suggest your information and the broader set of member data has been intentionally accessed,” Spirit Super concluded.
“All we know is that the email account was compromised, and within that mailbox this data was available. The attacker may not be aware of the data set.
“Because of this, we recommend limiting any activity that might draw attention to your details being included in the data set, such as posting on social media.”