Spirit Super
Company Details
Linkedin ID:
spirit-super
Website:
Employees number:
62
Number of followers:
0
NAICS:
52
Industry Type:
Homepage:
spiritsuper.com.au
IP Addresses:
0
Company ID:
SPI_2242864
Scan Status:
In-progress
Spirit Super Company CyberSecurity Posture
spiritsuper.com.au
Spirit Super is a multi-industry super fund with $25 billion funds under management and over 324,000 members across Australia. We’re here to help everyday Australians get the most out of their super through low fees and a focus on competitive investment returns. We take great pride in offering excellent service no matter your life stage or retirement goals. When it comes to super, it all starts with Spirit. Advice on Spirit Super is provided by Quadrant First Pty Ltd (ABN 78 102 167 877, AFSL 284443) and issuer is Motor Trades Association of Australia Superannuation Fund Pty Ltd (ABN 14 008 650 628, AFSL 238718), the trustee of Spirit Super (ABN 74 559 365 913). Read the PDS and TMD at spiritsuper.com.au/pds before making a decision.
Spirit Super A.I CyberSecurity Scoring
Spirit Super Risk Score (AI oriented)Between 800 and 849
Spirit Super
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Spirit Super Global Score (TPRM)XXXX
Spirit Super
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Spirit Super Company CyberSecurity News & History
Past Incidents
1
Attack Types
1
Spirit Super
Breach
Rankiteo Explanation
Attack threatening the economy of a geographical region
Description: Australian pension provider Spirit Super suffered a data breach incident after an employee’s email account was accessed. An unauthorized party gained access to a mailbox containing personal data that included names and other sensitive information of approximately 50,000 individuals. The personal data included names, addresses, ages (as at 2019 and 2020), email addresses, telephone numbers, member account numbers, and member balances (as at 2019 and 2020). The breach was a result of a widespread phishing campaign which the team detected and restored the compromised account and acted quickly to contain and limit the impact of the breach
Spirit Super Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Spirit Super
Incidents vs Financial Services Industry Average (This Year)
No incidents recorded for Spirit Super in 2025.
Incidents vs All-Companies Average (This Year)
No incidents recorded for Spirit Super in 2025.
Incident Types Spirit Super vs Financial Services Industry Avg (This Year)
No incidents recorded for Spirit Super in 2025.
Incident History — Spirit Super (X = Date, Y = Severity)
Spirit Super cyber incidents detection timeline including parent company and subsidiaries
Spirit Super Company Subsidiaries
Spirit Super is a multi-industry super fund with $25 billion funds under management and over 324,000 members across Australia. We’re here to help everyday Australians get the most out of their super through low fees and a focus on competitive investment returns. We take great pride in offering excellent service no matter your life stage or retirement goals. When it comes to super, it all starts with Spirit. Advice on Spirit Super is provided by Quadrant First Pty Ltd (ABN 78 102 167 877, AFSL 284443) and issuer is Motor Trades Association of Australia Superannuation Fund Pty Ltd (ABN 14 008 650 628, AFSL 238718), the trustee of Spirit Super (ABN 74 559 365 913). Read the PDS and TMD at spiritsuper.com.au/pds before making a decision.
Loading...
Spirit Super Similar Companies
Mizuho
This is not your typical financial institution. It’s our people who make us a cut above. Here, every person is respected because of their differences, not in spite of them. We pride ourselves on a culture of purpose, passion and compassion. At Mizuho, we provide the stability of an international in
Paytm
Paytm started the Digital Revolution in India. And we went on to become India’s leading Payments App. Today, more than 20 Million merchants & businesses are powered by Paytm to Accept Payments digitally. This is because more than 300 million Indians use Paytm to Pay at their stores. And that’s not
Nomura
Nomura is a global financial services group with an integrated network spanning approximately 30 countries and regions. By connecting markets East & West, Nomura services the needs of individuals, institutions, corporates and governments through its three business divisions: Wealth Management, Inves
New York Life Insurance Company
For over 175 years, we've been helping people put love into action. As a mutual company we hold ourselves to the highest standards of transparency, objectivity, and integrity. We’re committed to improving local communities through a culture of giving and volunteerism, supported by our own New York L
We help make money work for the world — managing it, moving it and keeping it safe. As a leading global financial services company at the center of the world’s financial system, we touch nearly 20% of the world’s investable assets. Today we help over 90% of Fortune 100 companies and nearly all the t
We exist to shape decisions for the better — to protect and enrich the lives of people around the world. Through actionable analytic insight, globally integrated Risk Capital and Human Capital expertise, and locally relevant solutions, our colleagues provide clients in over 120 countries with the cl
At State Street, we deliver leading investment platforms, data, expertise, and solutions that accelerate performance and better decision making. With over 200 years of global financial leadership, we equip institutional investors through a comprehensive suite of capabilities: Investment Services: I
MassMutual
Living mutual has always been at the core of our human existence, and it's the principle that's guided us since our founding in 1851. It's not a concept we invented, but one we champion for the simple reason that people take it for granted today. While the world would have us strive for independenc
CIMB
CIMB Group is a leading ASEAN universal bank, one of the largest Asian investment banks and one of the world's largest Islamic banks. We are headquartered in Kuala Lumpur, Malaysia and offer consumer banking, commercial banking, wholesale banking, Islamic banking, and asset management products and
.png)
Spirit Super CyberSecurity News
October 29, 2025 08:59 PM
Security Intelligence—IBM podcast
Is a safe AI browser even possible? On this week's super spooky Halloween episode of Security Intelligence, host Matt Kosinski and panelists Suja Viswesan,...
October 08, 2025 07:00 AM
FIU Cybersecurity Researchers Develop Midflight Defense Against Drone Hijacking
The defensive system detects and neutralize cyberattacks on drones in real time.
April 16, 2025 07:00 AM
Super funds scramble to close cybersecurity gaps
Super funds' adoption of a key security measure remains patchy even in the aftermath of a co-ordinated cyberattack that resulted in member...
February 06, 2024 08:00 AM
Spirit Technology swoops on Sydney cybersecurity biz
Spirit Technologies, an ASX-listed provider of workplace tech solutions, has agreed terms to buy Sydney-based cybersecurity specialist...
June 01, 2023 07:00 AM
Australia's CareSuper, Spirit Super to merge
Australia's CareSuper and Spirit Super will merge to create a roughly A$45 billion ($29.9 billion) superannuation fund, the plans said in a joint statement.
April 26, 2023 07:00 AM
Stonepeak and Spirit Super complete purchase of Australia’s Geelong Port
Geelong Port, one of Australia's largest maritime facilities, has been bought by Stonepeak and Spirit Super as the companies complete their acquisition.
February 15, 2023 08:00 AM
Super funds beef up tech security amid tighter APRA checks
Super funds are beefing up security controls and spend to protect members' data – a key focus for the financial regulator – following the...
May 30, 2022 07:00 AM
50k customers caught up in Spirit Super phishing attack
As many as 50,000 members of Tasmanian-based industry super fund Spirit Super may have had their sensitive personal information compromised...
March 31, 2021 07:00 AM
More mergers in store for super sector
At long last, the momentum for mergers in the $3 trillion super fund sector is stepping up.
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Spirit Super CyberSecurity History Information
Official Website of Spirit Super
The official website of Spirit Super is https://spiritsuper.com.au.
Spirit Super’s AI-Generated Cybersecurity Score
According to Rankiteo, Spirit Super’s AI-generated cybersecurity score is 806, reflecting their Good security posture.
How many security badges does Spirit Super’ have ?
According to Rankiteo, Spirit Super currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Spirit Super have SOC 2 Type 1 certification ?
According to Rankiteo, Spirit Super is not certified under SOC 2 Type 1.
Does Spirit Super have SOC 2 Type 2 certification ?
According to Rankiteo, Spirit Super does not hold a SOC 2 Type 2 certification.
Does Spirit Super comply with GDPR ?
According to Rankiteo, Spirit Super is not listed as GDPR compliant.
Does Spirit Super have PCI DSS certification ?
According to Rankiteo, Spirit Super does not currently maintain PCI DSS compliance.
Does Spirit Super comply with HIPAA ?
According to Rankiteo, Spirit Super is not compliant with HIPAA regulations.
Does Spirit Super have ISO 27001 certification ?
According to Rankiteo,Spirit Super is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Spirit Super
Spirit Super operates primarily in the Financial Services industry.
Number of Employees at Spirit Super
Spirit Super employs approximately 62 people worldwide.
Subsidiaries Owned by Spirit Super
Spirit Super presently has no subsidiaries across any sectors.
Spirit Super’s LinkedIn Followers
Spirit Super’s official LinkedIn profile has approximately 0 followers.
NAICS Classification of Spirit Super
Spirit Super is classified under the NAICS code 52, which corresponds to Finance and Insurance.
Spirit Super’s Presence on Crunchbase
No, Spirit Super does not have a profile on Crunchbase.
Spirit Super’s Presence on LinkedIn
Yes, Spirit Super maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/spirit-super.
Cybersecurity Incidents Involving Spirit Super
As of December 21, 2025, Rankiteo reports that Spirit Super has experienced 1 cybersecurity incidents.
Number of Peer and Competitor Companies
Spirit Super has an estimated 30,673 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Spirit Super ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach.
How does Spirit Super detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with restored the compromised account and acted quickly to contain and limit the impact of the breach...
Incident Details
Can you provide details on each incident ?
Title: Spirit Super Data Breach Incident
Description: Australian pension provider Spirit Super suffered a data breach incident after an employee’s email account was accessed. An unauthorized party gained access to a mailbox containing personal data that included names and other sensitive information of approximately 50,000 individuals. The personal data included names, addresses, ages (as at 2019 and 2020), email addresses, telephone numbers, member account numbers, and member balances (as at 2019 and 2020). The breach was a result of a widespread phishing campaign which the team detected and restored the compromised account and acted quickly to contain and limit the impact of the breach.
Type: Data Breach
Attack Vector: Phishing
Vulnerability Exploited: Email account compromise
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Email account.
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach SPI34211822
Data Compromised: Names, Addresses, Ages, Email addresses, Telephone numbers, Member account numbers, Member balances
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personal Data and .
Which entities were affected by each incident ?
Incident : Data Breach SPI34211822
Entity Name: Spirit Super
Entity Type: Pension Provider
Industry: Financial Services
Location: Australia
Customers Affected: 50000
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Breach SPI34211822
Containment Measures: Restored the compromised account and acted quickly to contain and limit the impact of the breach.
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach SPI34211822
Type of Data Compromised: Personal data
Number of Records Exposed: 50000
Personally Identifiable Information: namesaddressesagesemail addressestelephone numbersmember account numbersmember balances
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by restored the compromised account and acted quickly to contain and limit the impact of the breach..
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Data Breach SPI34211822
Entry Point: Email account
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Data Breach SPI34211822
Root Causes: Phishing campaign
Additional Questions
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were names, addresses, ages, email addresses, telephone numbers, member account numbers, member balances and .
Response to the Incidents
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident was Restored the compromised account and acted quickly to contain and limit the impact of the breach..
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were member balances, ages, telephone numbers, addresses, email addresses, names and member account numbers.
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 500.0.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker was an Email account.
.png)
Latest Global CVEs (Not Company-Specific)
Description
n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.
Risk Information
cvss3
Base: 9.9
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References
- https://github.com/n8n-io/n8n/commit/08f332015153decdda3c37ad4fcb9f7ba13a7c79
- https://github.com/n8n-io/n8n/commit/1c933358acef527ff61466e53268b41a04be1000
- https://github.com/n8n-io/n8n/commit/39a2d1d60edde89674ca96dcbb3eb076ffff6316
- https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp
Description
FastAPI Users allows users to quickly add a registration and authentication system to their FastAPI project. Prior to version 15.0.2, the OAuth login state tokens are completely stateless and carry no per-request entropy or any data that could link them to the session that initiated the OAuth flow. `generate_state_token()` is always called with an empty `state_data` dict, so the resulting JWT only contains the fixed audience claim plus an expiration timestamp. On callback, the library merely checks that the JWT verifies under `state_secret` and is unexpired; there is no attempt to match the state value to the browser that initiated the OAuth request, no correlation cookie, and no server-side cache. Any attacker can hit `/authorize`, capture the server-generated state, finish the upstream OAuth flow with their own provider account, and then trick a victim into loading `.../callback?code=<attacker_code>&state=<attacker_state>`. Because the state JWT is valid for any client for \~1 hour, the victim’s browser will complete the flow. This leads to login CSRF. Depending on the app’s logic, the login CSRF can lead to an account takeover of the victim account or to the victim user getting logged in to the attacker's account. Version 15.0.2 contains a patch for the issue.
Risk Information
cvss3
Base: 5.9
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
References
- https://github.com/fastapi-users/fastapi-users/blob/bcee8c9b884de31decb5d799aead3974a0b5b158/fastapi_users/router/oauth.py#L111
- https://github.com/fastapi-users/fastapi-users/blob/bcee8c9b884de31decb5d799aead3974a0b5b158/fastapi_users/router/oauth.py#L57
- https://github.com/fastapi-users/fastapi-users/commit/7cf413cd766b9cb0ab323ce424ddab2c0d235932
- https://github.com/fastapi-users/fastapi-users/security/advisories/GHSA-5j53-63w8-8625
Description
FileZilla Client 3.63.1 contains a DLL hijacking vulnerability that allows attackers to execute malicious code by placing a crafted TextShaping.dll in the application directory. Attackers can generate a reverse shell payload using msfvenom and replace the missing DLL to achieve remote code execution when the application launches.
Risk Information
cvss3
Base: 9.8
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss4
Base: 8.5
Severity: LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
LDAP Tool Box Self Service Password 1.5.2 contains a password reset vulnerability that allows attackers to manipulate HTTP Host headers during token generation. Attackers can craft malicious password reset requests that generate tokens sent to a controlled server, enabling potential account takeover by intercepting and using stolen reset tokens.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss4
Base: 8.6
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session hijacking.
Risk Information
cvss3
Base: 9.8
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss4
Base: 8.5
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=spirit-super' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
