“There is an expectation of any loss that’s incurred due to identity theft or scam where the account member is not at fault would be made good,” he said. “Funds will look at incidents on a case-by-case basis and seek to make the member whole.”
The alleged scam was a warning, he said, that cyber theft is “a very real risk” to the $3 trillion superannuation industry.
“This [alleged scam] is a timely reminder for fund members, the funds themselves and regulators that they need to stay vigilant and that this is a very real risk to the industry,” Mr Fahy said.
“If a member of a fund has any concerns or if they believe there has been suspicious activities in their account, then they should contact their fund immediately.”
The nation’s largest fund, AustralianSuper, said it had tightened its online security after being made aware of alleged fraud attempts as far back as last year.
An AustralianSuper spokesman said the fund had reported “irregularities” discovered to both the Australian Federal Police and local police.
The fund, which manages more than $140 billion in assets, said fewer than 10 members were affected by the alleged scam and all had been contacted.
A number of new cyber-security measures have recently been implemented by the fund to further protect member accounts.
However, the incident was serious enough for it to review and tighten its online security, the spokesman said.
“A number of new cyber-security measures have recently been implemented by the fund to further protect member accounts,” a spokesman said.
The court documents show 12 of the 53 charges laid against Ms Vella-Arpaci relate to breaches involving LUCRF Superannuation customers.
The fund did not respond to questions about whether it had contacted members to about the breach or reported itself to the Office of the Australian Information Commission (OAIC).
But a spokesman did confirm it had been working with the Australian Federal Police during their investigations.
According to court documents, the alleged fraud ring also accessed and modified data held on a REST computer and stole money from a REST customer’s account.
REST said it was co-operating with investigators and was “not aware of any successful cyber attacks or data hacks on its systems”.
“We have robust systems in place to protect the integrity of our cyber security,” a spokesman said.
There is an expectation of any loss incurred due to identity theft or scam where the account member is not at fault would be made good
Martin Fahy, chief executive of the Association of Superannuation Funds of Australia
HESTA said no members had lost super “and only a few were targeted”.
Hostplus said it was co-operating with police regarding “a small number of cases of identity theft” but denied it had been directly subject to any cyber fraud activity
“Hostplus maintains rigorous fraud detection and related risk controls to protect members’ accounts,” the fund said in a statement.
Other institutions named in court documents that are alleged to have been affected include CommSec and CMC Markets.
A spokesman for CommSec declined to comment but said it was continually investing in their security systems.
CMC Markets said it would not comment while court action was pending.
A spokesman for the OAIC said it would not comment on the specifics of the alleged breaches.
“We would expect any organisation to act quickly to contain a data breach involving personal information and assess the potential impact on those affected,” the spokesman said.
“If the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action – and the organisation is covered by the Privacy Act – they must notify the people who are affected and the OAIC as quickly as possible,” the spokesman added.
Stephen is Investment Editor at The Age and Sydney Morning Herald. He writes about personal finance issues and markets as well as editing Money.
Sarah Danckert is a business reporter.