Updates with comments from the Prime Minister, statements from Hostplus, Australian Retirement Trust

By Christine Chen

SYDNEY, April 4 (Reuters) - Hackers targeting Australia's major pension funds in a series of coordinated attacks have stolen savings from some members at the biggest fund, according to a source with knowledge of the matter, and compromised more than 20,000 accounts.

National Cyber Security Coordinator Michelle McGuinness said in a statement she was aware of "cyber criminals" targeting accounts in the country's A$4.2 trillion ($2.63 trillion) retirement savings sector and was organising a response across the government, regulators and industry. It was still unclear how many pension funds and members were affected.

AustralianSuper, the country's largest fund managing A$365 billion for 3.5 million members, confirmed that up to 600 member passwords had been stolen to access accounts and commit fraud.

"We took immediate action to lock these accounts and let those members know," AustralianSuper's Chief Member Officer Rose Kerlin said, urging all members to check their online balances.

Four AustralianSuper members had a combined A$500,000 drained from their balances and transferred to other accounts that did not belong to them, according to the source, who was not authorised to speak publicly about the matter.

AustralianSuper did not respond immediately to a request for comment.

Australian Retirement Trust, the second-largest fund managing A$300 billion for 2.4 million members, said it had detected "unusual login activity" affecting "several hundreds" of accounts. It locked impacted accounts as a precaution, though there were no suspicious transactions or changes made.

Rest Super, the default industry pension fund for retail workers, with A$93 billion of assets under management, said it suffered an attack that impacted around 20,000 accounts, or around 1% of its 2 million members.

"Over the weekend of 29-30 March 2025, Rest became aware of some unauthorised activity on our online Member Access portal," Rest CEO Vicki Doyle said.

"We responded immediately by shutting down the Member Access portal, undertaking investigations and launching our cyber security incident response protocols."

Insignia Financial IFL.AX, which manages A$327 billion, said a "malicious third-party" attempted to access online pension accounts on its Insignia Financial Expand platform. There had been no financial impact at this stage to members, an Insignia spokesperson said.

Hostplus, which has more than 1.8 million members and A$115 billion under management, also confirmed it suffered an attack. A spokesperson said no member losses had occurred but that it was still investigating the extent of the incident.

Prime Minister Anthony Albanese said he had been briefed about the hacks and said there would be a "considered" response from government agencies in time. He added that such attacks were a "regular issue" in Australia, with one occurring every six minutes.

Australia's largest not-for-profit hospital and aged care provider St Vincent's Health, private health insurer Medibank MPL.AX and telecom Optus have all suffered major breaches.

The government in 2023 committed A$587 million to fund a seven-year strategy to improve the cybersecurity of citizens, businesses and agencies.

($1 = 1.5995 Australian dollars)

(Reporting by Christine Chen in Sydney; Editing by Jamie Freed and Sonali Paul)

((christine.chen@thomsonreuters.com; +61 2 9171 7119;))