AustralianSuper Company CyberSecurity Posture
http://www.australiansuper.com
Australia’s largest super fund, investing for over 3 million members. AustralianSuper is here to help members achieve their best financial position in retirement. We do this by delivering strong long-term performance and low admin fees for members. We use our size, investment capability and global reach to help us access the best investment opportunities for the benefit of members. We’re committed to providing good value products and services that members need, along with support, guidance and advice to help them feel confident about their future. ----------------------------------------------------------------------------------------- AustralianSuper is not responsible for other user's comments. We reserve the right to delete any comments that are not in line with our community standards. By participating in the AustralianSuper’s LinkedIn community, you agree to adhere to our House Rules: ausup.me/HouseRules ______________________________________________________________________________________ AustralianSuper is a profit-for-member fund. This means we don’t pay profits or dividends to shareholders, so the money we make goes back into the fund for the benefit of members. Investment returns aren’t guaranteed. Past performance isn’t a reliable indicator of future returns. Other fees and costs apply. Read the PDS and TMD at www.australiansuper.com australiansuper.com/contact-us
Company Details
australiansuper
2,362
82,100
52
http://www.australiansuper.com
0
AUS_1710943
In-progress
AustralianSuper Risk Score (AI oriented)Between 650 and 699
AustralianSuper Global Score (TPRM)XXXX
Description: AustralianSuper, the nation's largest superannuation fund managing A$365 billion, experienced cyberattacks compromising member accounts. Suspicious account activity led to restrictions on modifying bank and contact information. While viewing accounts remains available, the fund has heightened security and call support. They prioritize member data and financial safety.
Description: AustralianSuper, Australia’s largest superannuation fund, was targeted in a cyber incident between March and April, coinciding with market volatility. While APRA noted the overall impact on individual members was contained, the attack highlighted systemic vulnerabilities in the superannuation sector’s appeal to threat actors. The regulator emphasized that some funds, including AustralianSuper, demonstrated stronger responses by leveraging clear control environments—particularly around payment processes—to swiftly interrupt fraudulent transactions and recover misdirected funds. However, the incident exposed gaps in industry-wide coordination, public trust, and member protection awareness. APRA’s assessment underscored the need for a unified cybersecurity strategy, as fragmented responses risked amplifying reputational damage and financial losses. The attack’s timing during market instability further compounded its potential ripple effects, though no large-scale data breaches or ransomware were explicitly reported. The focus remained on operational disruption, trust erosion, and the urgency for collaborative threat mitigation across the sector.
AustralianSuper has 156.41% more incidents than the average of same-industry companies with at least one recorded incident.
AustralianSuper has 212.5% more incidents than the average of all companies with at least one recorded incident.
AustralianSuper reported 2 incidents this year: 1 cyber attacks, 0 ransomware, 0 vulnerabilities, 1 data breaches, compared to industry peers with at least 1 incident.
AustralianSuper cyber incidents detection timeline including parent company and subsidiaries
Australia’s largest super fund, investing for over 3 million members. AustralianSuper is here to help members achieve their best financial position in retirement. We do this by delivering strong long-term performance and low admin fees for members. We use our size, investment capability and global reach to help us access the best investment opportunities for the benefit of members. We’re committed to providing good value products and services that members need, along with support, guidance and advice to help them feel confident about their future. ----------------------------------------------------------------------------------------- AustralianSuper is not responsible for other user's comments. We reserve the right to delete any comments that are not in line with our community standards. By participating in the AustralianSuper’s LinkedIn community, you agree to adhere to our House Rules: ausup.me/HouseRules ______________________________________________________________________________________ AustralianSuper is a profit-for-member fund. This means we don’t pay profits or dividends to shareholders, so the money we make goes back into the fund for the benefit of members. Investment returns aren’t guaranteed. Past performance isn’t a reliable indicator of future returns. Other fees and costs apply. Read the PDS and TMD at www.australiansuper.com australiansuper.com/contact-us
Charles Schwab is a different kind of investment services firm – one that strives to disrupt the status quo of the traditional Wall Street approach on behalf of our clients. We believe today, as we did on Day 1, that when you find ways to improve the investing experience for your clients, then busin
Broadridge Financial Solutions (NYSE: BR) is a global technology leader with the trusted expertise and transformative technology to help clients and the financial services industry operate, innovate, and grow. We power investing, governance, and communications for our clients – driving operational r
We exist to shape decisions for the better — to protect and enrich the lives of people around the world. Through actionable analytic insight, globally integrated Risk Capital and Human Capital expertise, and locally relevant solutions, our colleagues provide clients in over 120 countries with the cl
Discover® is now part of Capital One. Together, we’ll continue to deliver exceptional financial products and experiences, drive innovation, and serve customers. Find the latest updates at https://capitalonediscover.com. Discover is one of the most recognized brands in the U.S. with the Discover® ca
Citi's mission is to serve as a trusted partner to our clients by responsibly providing financial services that enable growth and economic progress. Our core activities are safeguarding assets, lending money, making payments and accessing the capital markets on behalf of our clients. We have over 20
Primerica is a leading provider of financial products and services in North America, with over 2,800 corporate employees who support over 151,000 licensed independent representatives providing financial education and offering financial products and services to their clients. Primerica was founded 48
S&P Global provides governments, businesses, and individuals with market data, expertise, and technology solutions for confident decision-making. Our services span from global energy solutions to sustainable finance solutions. From helping our customers perform investment analysis to guiding them th
At Capital One, we're making things better for our customers and associates through innovation and collaboration. We were founded on the belief that everyone deserves financial freedom—and are dedicated to a world where all have equal opportunity to prosper. Banking is in our DNA, but we are so mu
Sun Life is a leading financial services organization dedicated to helping people achieve lifetime financial security and live healthier lives. We provide a wide range of insurance and investment products and services in key markets around the world including Canada, the United States, the United K
.png)
The country's largest superannuation funds are working on a plan to share intel on suspicious criminal activity and tackle the threat of...
The Australian Prudential Regulation Authority (APRA) has made clear to the superannuation sector that it needs to develop the ability to...
Superannuation funds need to create a stronger culture of information sharing – and the infrastructure to support it – to mitigate both the...
APRA has announced a crack-down on super funds cyber security with particular obligations on funds hit with 'credentials stuffing' attacks.
APRA has written to superannuation funds with a deadline to fix a key cybersecurity flaw in the $4.2 trillion sector.
The powerful financial regulator has warned there are key gaps in some super funds' defences against cyberattacks, ordering funds to assess their systems.
AustralianSuper is rolling out MFA to its members following April's cyberattack that saw $750000 taken from members' accounts.
Beware of phishing emails posing as AustralianSuper seeking personal info. Protect your superannuation from cybercriminals.
New research reveals that more than half of Australian super funds lack basic cyber security measures to protect their members.
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
The official website of AustralianSuper is http://www.australiansuper.com.
According to Rankiteo, AustralianSuper’s AI-generated cybersecurity score is 687, reflecting their Weak security posture.
According to Rankiteo, AustralianSuper currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
According to Rankiteo, AustralianSuper is not certified under SOC 2 Type 1.
According to Rankiteo, AustralianSuper does not hold a SOC 2 Type 2 certification.
According to Rankiteo, AustralianSuper is not listed as GDPR compliant.
According to Rankiteo, AustralianSuper does not currently maintain PCI DSS compliance.
According to Rankiteo, AustralianSuper is not compliant with HIPAA regulations.
According to Rankiteo,AustralianSuper is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
AustralianSuper operates primarily in the Financial Services industry.
AustralianSuper employs approximately 2,362 people worldwide.
AustralianSuper presently has no subsidiaries across any sectors.
AustralianSuper’s official LinkedIn profile has approximately 82,100 followers.
AustralianSuper is classified under the NAICS code 52, which corresponds to Finance and Insurance.
No, AustralianSuper does not have a profile on Crunchbase.
Yes, AustralianSuper maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/australiansuper.
As of November 27, 2025, Rankiteo reports that AustralianSuper has experienced 2 cybersecurity incidents.
AustralianSuper has an estimated 29,544 peer or competitor companies worldwide.
Incident Types: The types of cybersecurity incidents that have occurred include Breach and Cyber Attack.
Total Financial Loss: The total financial loss from these incidents is estimated to be $0.
Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with restrictions on modifying bank and contact information, containment measures with heightened security, and incident response plan activated with yes (by some funds; effectiveness varied), and containment measures with transaction interruption, containment measures with fund recovery (for diverted payments), and communication strategy with industry roundtable (july 2024) to address coordination gaps..
Title: AustralianSuper Cyberattack
Description: AustralianSuper, the nation's largest superannuation fund managing A$365 billion, experienced cyberattacks compromising member accounts. Suspicious account activity led to restrictions on modifying bank and contact information. While viewing accounts remains available, the fund has heightened security and call support. They prioritize member data and financial safety.
Type: Cyberattack
Title: Cyber Incidents Targeting Australian Superannuation Funds (March-April 2024)
Description: APRA highlighted the need for a coordinated industry response to cyber incidents affecting multiple superannuation funds, including AustralianSuper. While the impact on individual members was contained, the incidents underscored the sector's appeal to threat actors, particularly during market volatility. Some funds demonstrated stronger control environments (e.g., payments processes) and proactive cybersecurity measures, but overall, the industry requires improved public perception management, member trust, and cross-stakeholder coordination. The National Cyber Security Coordinator emphasized the tension between competition and collaboration in cybersecurity.
Date Publicly Disclosed: 2024-07-00
Type: Cyber Attack
Motivation: Financial GainDisruption
Common Attack Types: The most common types of attacks the company has faced is Breach.
Financial Loss: Contained (specific losses unreported; some funds recovered diverted transactions)
Operational Impact: Minimal (transactions interrupted/recovered in some cases)
Brand Reputation Impact: Potential erosion of member trust (highlighted as a risk by APRA)
Payment Information Risk: Targeted (payments processes exploited in some cases)
Average Financial Loss: The average financial loss per incident is $0.00.
Entity Name: AustralianSuper
Entity Type: Superannuation Fund
Industry: Finance
Location: Australia
Entity Name: AustralianSuper
Entity Type: Superannuation Fund
Industry: Financial Services
Location: Australia
Size: Largest in Australia
Entity Name: Unnamed Superannuation Funds
Entity Type: Superannuation Funds
Industry: Financial Services
Location: Australia
Containment Measures: Restrictions on modifying bank and contact informationHeightened security
Incident Response Plan Activated: Yes (by some funds; effectiveness varied)
Containment Measures: Transaction interruptionFund recovery (for diverted payments)
Communication Strategy: Industry roundtable (July 2024) to address coordination gaps
Incident Response Plan: The company's incident response plan is described as Yes (by some funds; effectiveness varied).
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by restrictions on modifying bank and contact information, heightened security, , transaction interruption, fund recovery (for diverted payments) and .
Regulatory Notifications: APRA-led industry roundtable (July 2024) with National Office of Cyber Security
Lessons Learned: Effective responders had clear control environments (e.g., payments processes) and proactive cybersecurity measures., Industry lacks coordinated response capability for multi-stakeholder incidents., Public perception and member trust are critical but underaddressed., Competition vs. collaboration tension hinders collective progress.
Recommendations: Develop a unified industry response framework for cyber incidents., Enhance accountability for member protection., Improve cross-stakeholder coordination and communication., Address public perception/Trust risks proactively.Develop a unified industry response framework for cyber incidents., Enhance accountability for member protection., Improve cross-stakeholder coordination and communication., Address public perception/Trust risks proactively.Develop a unified industry response framework for cyber incidents., Enhance accountability for member protection., Improve cross-stakeholder coordination and communication., Address public perception/Trust risks proactively.Develop a unified industry response framework for cyber incidents., Enhance accountability for member protection., Improve cross-stakeholder coordination and communication., Address public perception/Trust risks proactively.
Key Lessons Learned: The key lessons learned from past incidents are Effective responders had clear control environments (e.g., payments processes) and proactive cybersecurity measures.,Industry lacks coordinated response capability for multi-stakeholder incidents.,Public perception and member trust are critical but underaddressed.,Competition vs. collaboration tension hinders collective progress.
Source: APRA Analysis of Superannuation Cyber Roundtable
Date Accessed: 2024-07-00
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: APRA Analysis of Superannuation Cyber RoundtableDate Accessed: 2024-07-00.
Investigation Status: Ongoing (industry-wide coordination gaps identified)
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Industry roundtable (July 2024) to address coordination gaps.
Stakeholder Advisories: APRA and National Cyber Security Coordinator emphasized need for collective action.
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: was APRA and National Cyber Security Coordinator emphasized need for collective action..
High Value Targets: Payment Processes,
Data Sold on Dark Web: Payment Processes,
Root Causes: Lack Of Industry-Wide Coordination Mechanism., Varied Effectiveness Of Individual Fund Responses., Market Volatility Exploited During Incidents.,
Corrective Actions: Proposal To Establish Clear Accountability For Multi-Stakeholder Incident Response., Call For Improved Collaboration Despite Competitive Tensions.,
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Proposal To Establish Clear Accountability For Multi-Stakeholder Incident Response., Call For Improved Collaboration Despite Competitive Tensions., .
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2024-07-00.
Highest Financial Loss: The highest financial loss from an incident was Contained (specific losses unreported; some funds recovered diverted transactions).
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Restrictions on modifying bank and contact informationHeightened security and Transaction interruptionFund recovery (for diverted payments).
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Competition vs. collaboration tension hinders collective progress.
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Improve cross-stakeholder coordination and communication., Address public perception/Trust risks proactively., Enhance accountability for member protection. and Develop a unified industry response framework for cyber incidents..
Most Recent Source: The most recent source of information about an incident is APRA Analysis of Superannuation Cyber Roundtable.
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (industry-wide coordination gaps identified).
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was APRA and National Cyber Security Coordinator emphasized need for collective action., .
.png)
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.16, 20.3.14, and 21.0.1, there is a XSRF token leakage via protocol-relative URLs in angular HTTP clients. The vulnerability is a Credential Leak by App Logic that leads to the unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token to an attacker-controlled domain. Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (http:// or https://) to determine if it is cross-origin. If the URL starts with protocol-relative URL (//), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the X-XSRF-TOKEN header. This issue has been patched in versions 19.2.16, 20.3.14, and 21.0.1. A workaround for this issue involves avoiding using protocol-relative URLs (URLs starting with //) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single /) or fully qualified, trusted absolute URLs.
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Uncontrolled Recursion vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. This issue has been patched in version 1.3.2.
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. An Integer Overflow vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures containing OIDs with oversized arcs. These arcs may be decoded as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the bypass of downstream OID-based security decisions. This issue has been patched in version 1.3.2.
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Prior to versions 7.0.13 and 8.0.2, working with large buffers in Lua scripts can lead to a stack overflow. Users of Lua rules and output scripts may be affected when working with large buffers. This includes a rule passing a large buffer to a Lua script. This issue has been patched in versions 7.0.13 and 8.0.2. A workaround for this issue involves disabling Lua rules and output scripts, or making sure limits, such as stream.depth.reassembly and HTTP response body limits (response-body-limit), are set to less than half the stack size.
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions from 8.0.0 to before 8.0.2, a NULL dereference can occur when the entropy keyword is used in conjunction with base64_data. This issue has been patched in version 8.0.2. A workaround involves disabling rules that use entropy in conjunction with base64_data.
Get company history
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rapid