Super insecure: Data breaches in the superannuation sector and more

Early this year, several Australian superannuation funds including AustralianSuper, Rest, Hostplus and the Australian Retirement Trust were targeted by a coordinated cyberattack that saw some 20,000 accounts collectively compromised, with the country’s largest fund, AustralianSuper, reporting that a combined $500,000 was transferred out of the accounts of four customers.

Rather than a direct attack on the super funds’ IT infrastructure, the cybercriminals utilised a form of cyberattack known as credential stuffing, where criminals use previously stolen credentials from other platforms and websites to gain access to other accounts. In other words, people who use the same passwords for multiple accounts are particularly at risk with the continuing rise in data breaches.

Following on the heels of the attack on super funds, on 13 May 2025, the Australian Human Rights Commission (AHRC) also reported a data breach incident involving the unauthorised disclosure of materials uploaded through the complaints webform on the Commission’s website during various periods of time, including most recently between 24 March and 10 April 2025.

Many of the compromised documents contain personal information of individuals who submitted complaints to the AHRC, including their names, contact details, employment details, personal health, religious and schooling information. The AHRC’s current estimate is that a total of around 670 documents were made potentially accessible via search engines such as Google.

So far, 2025 has seen service providers in various industries around Australia, including universities, law firms and banks, fall victim to data breach incidents and ransomware attacks, with personal information of customers and employee credentials being compromised.

This string of data breach incidents has occurred amidst the landscape of cybersecurity and privacy law reforms being introduced by the Commonwealth Government to update and tighten Australia’s data privacy laws. The first tranche of reforms proposed by the Privacy and Other Legislation Amendment Bill 2024 expands the legal recourse available to individuals  affected by a data breach. Some of these include:

• a statutory tort for serious invasions of privacy;
• civil penalties for acts or practices that would interfere with personal data; and
• criminal liability for malicious release of personal data online.

Following these reforms, individuals would have the legal avenue to pursue civil causes of actions for serious breaches of privacy, and regulators such as the Office of the Australian Information Commissioner (OAIC) would also have additional powers to issue infringement notices for non-compliance of privacy obligations by businesses, and to monitor and investigate data breaches. A summary of the key reforms that the Government has agreed to implement is set out in our article: Australian Privacy Reform 2024 – What you need to know.

It is important to bear in mind that while malicious or criminal attacks remain the most common source of data breach incidents (69% based on the notifiable data breaches report for the period July to December 2024), a substantial number of incidents, like the AHRC’s, were not the result of malicious attacks. Human error or system faults continue to make up over 30% of data breach incidents in Australia, including through loss of access to or misplaced devices containing personal data, mistaken authorisation of access to data, documents being sent to wrong recipients and even failure to use BCC when sending emails.

If you would like to discuss any cybersecurity and privacy issues, please contact us on (08) 9221 0033 or legal@mphlawyers.com.au.