October 2, 2022

TheCyberThrone

Thinking Security ! Always

Spirit Super Data breach affects 50K customers

As many as 50,000 members of Tasmanian-based industry super fund Spirit Super may have had their sensitive personal information compromised after a phishing attack earlier this month.

Spirit Super, which was created by the merger of MTAA Super and Tasplan last year, revealed that a data incident where a staff member’s email account was compromised occurred on May 19.

Advertisements

Although the breach was detected quickly and contained, continuing investigations had revealed the attacker gained unauthorized access to a mailbox containing personal data.

The mailbox contained names, addresses, ages, email addresses, phone numbers, super account numbers, and the balances of members from the 2019-20 financial year. No tax file numbers, driver’s license details, or bank account details are said to have been stolen.

Approximately 50,000 of the fund’s 330,000-odd total members have been potentially impacted, though Spirit Super stressed there is currently no evidence that compromise had occurred.

“Please be assured investigations to date indicate that accounts have not been compromised,” it said in a note on its website. We have increased the levels of security to ensure our members’ accounts remain safe. Our investigation will continue.”

Spirit Super said the attacker, who used an email posing as official correspondence, was able to overcome multi-factor authentication to compromise the staff members’ passwords. This was not the result of a material security control weakness or technology failure. The malicious emails resulted in a staff member’s password being compromised.

Spirit Super employs multifactor authentication (MFA) in addition to a username and password to access our systems. Unfortunately, this additional layer of protection was overcome by the attacker and the mailbox was accessed. Phishing attacks such as this are becoming increasingly sophisticated and common.

Advertisements

Spirit Super said it had notified all relevant authorities, including the Privacy Commissioner, and was in the process of reviewing all our data handling practices and staff training.

Spirit Super is Australia’s eighth largest industry super fund by the number of members, according to the Australian Prudential Regulation Authority.

%d bloggers like this: