Updated: 6 June 2022
On 19 May 2022 Spirit Super experienced a data incident where a staff member’s email account was compromised.
We detected the information security breach and contained the account quickly. We have continued to investigate the extent of the breach, and we believe there was unauthorised access to a mailbox containing personal data.
The personal data that may have been compromised is similar to some information provided in an annual statement, including names, addresses, ages (as at 2019 and 2020), email addresses, telephone numbers, member account numbers and member balances (as at 2019 and 2020).
In the majority of instances, this data doesn’t include dates of birth, government identification numbers (such as tax file numbers or driver’s license details), or bank accounts. However, we have also found a small number of identification documents (such as drivers licences and passports), bank account details, tax file numbers, dates of birth and statements in the compromised data. We are working to alert and support the small number of individuals impacted as a matter of priority.
The breach was the result of an email phishing activity, rather than a system error, regardless we are taking all reasonable steps to prevent this from happening again.
Please be assured investigations to date indicate that accounts have not been compromised. We have increased the levels of security to ensure our members’ accounts remain safe. Our investigation will continue.
What are we doing?
Spirit Super takes cybersecurity and the protection and privacy of our members’ data extremely seriously. We moved immediately to secure accounts and member data.
We are undertaking a thorough investigation to assess the impact. This includes reviewing account activity and placing enhanced controls on accounts.
We are also notifying all relevant authorities, including the Privacy Commissioner, and will work with them in a transparent manner.
We will take immediate precautions to further strengthen our IT security and reduce future risks of cyber incidents.
I’m worried, who can I speak to about this?
We understand that members may feel worried about this breach, and how it may affect them personally. Please be assured that our members are our highest priority, and we want you to be aware that we have and will continue to work to assess and contain the situation as our top priority. We deeply regret this incident, and sincerely apologise to members who may have been affected by this data breach.
General inquiries can continue to be made to the Spirit Super contact centre on 1800 005 166. We have extended our contact centre hours and will be open Saturday 28th May between 8 am and 12 pm as well if you wish to speak to someone sooner.
If there is any further information that comes to light, we will let you know by updating this page.
How did this happen?
In short it was human error during a malicious email attack posing as official correspondence. This was not the result of a material security control weakness or technology failure. The malicious email resulted in a staff member's password being compromised.
Spirit Super employs multifactor authentication (MFA) in addition to a username and password to access our systems. Unfortunately, this additional layer of protection was overcome by the attacker and the mailbox was accessed. Phishing attacks such as this are becoming increasingly sophisticated and common.
We have a skilled internal team focused on cyber security and protecting your information. This team detected the compromised account and acted quickly to contain and limit the impact of the breach. No further accounts or systems were impacted.
Was this a targeted attack?
No. We believe this was not a targeted attack. Quite the opposite, we believe that Spirit Super has been caught up in a broad phishing attack campaign.
Why was my data in the mailbox?
We are reviewing all our data handling practices and staff training. As a member focused organisation, for various reasons our staff are required to handle member data. Regrettably, some of this data was contained within the compromised email mailbox.
While we know the malicious party had access to the mailbox, they may not be aware that they have this information. We cannot speculate on their motive for the original attack.
Do we know if my information has been accessed?
We have no evidence to suggest your information and the broader set of member data has been intentionally accessed. All we know is that the email account was compromised, and within that mailbox this data was available. The attacker may not be aware of the data set. Because of this, we recommend limiting any activity that might draw attention to your details being included in the data set, such as posting on social media.
Is my money safe?
Yes. Your money is safe. We increased our security controls immediately following this breach. This includes increased identification steps on the accounts of impacted members. We have proactively implemented a block to payments from these accounts as a precaution. Please contact us if you have a need to withdraw money from your account and are eligible to do so. We are not aware of any unauthorised activity to member accounts.
Note for pension members: The block to payments does not apply to established regular pension payments that are going to the usual bank account, these payments will continue as normal.
Has there been any suspicious account activity since the breach?
No. We have no evidence of suspicious activity since the breach. We have analysed account activity for impacted members specifically looking for unusual activity with nothing identified to date. We continue to monitor all impacted members' accounts in addition to our block on payments to minimise any risk of fraudulent access of funds. Fraud monitoring and controls are a regular aspect of our business and remain in place to protect all member accounts from unauthorised activity.
The compromised data is not sufficient enough on its own for someone to access your Spirit Super account.
How do I know if I am affected by this privacy breach?
We have attempted to email, SMS and send letters to all identified impacted members. Letters were posted on 31 May 2022 and will be delivered soon.
Further contact will be made where we identify individuals who have additional data that has been compromised. We have also put a notice in Member Online accounts for those impacted who are current members.
However, we have been unable to contact a small number of members via email, SMS or letter. If you:
- were a Tasplan member between 2017 and 2021
- don’t have a current account, or are unable to access your Member Online account to check if you have a notice about the data breach, and
- are concerned that you may be affected,
please contact us on 1800 005 166.
How many members were impacted?
As far as we know the impact to individual members is limited to the information shared on this page, which we keep up to date. We are reporting the scope of the incident to the required authorities. The number of members impacted is broad and affects over 50,000 individuals.
Why wasn't I notified sooner?
Spirit Super took appropriate response measures at the time the email account was compromised. Once we identified that a privacy breach had occurred and the scope of the incident had changed, we immediately began the process of implementing additional measures to protect our members and preparing communication to affected members. We alerted impacted individuals as soon as we could following discovery of the privacy breach. Our monitoring and investigation continues.
What should I do?
Remain vigilant to unsolicited emails, text messages or phone calls. If you do receive contact that you believe to be suspicious do not provide information to the caller. Contact Scamwatch to report the matter (www.scamwatch.gov.au)
There is no need to change passwords for your Member Online account as passwords were not included in the data that was compromised. You can of course change this if you are concerned. Multi-factor authentication is required for sensitive account transactions to protect your information and keep you safe.
We would also suggest that you do not share that your personal information may have been compromised online or on social media to reduce your chances of becoming a target for further activity. We encourage members to be aware of any sensitive personal information they may have within their social media profiles that could be publicly available - such as date of birth.
Please remember that this advice applies more broadly than just in relation to your Spirit Super account. If you receive unsolicited contact we recommend verifying the contact prior to responding.
If you are concerned, you can also contact your financial institution to advise that your personal information has been involved in a data breach. They may be able to put in place additional safeguards for your accounts.
If your identity documents have been compromised, we recommend you speak with the agency that issued the document to advise of the data breach.
If your tax file number was involved, we recommend you contact the Australian Taxation Office so that they can monitor any unusual or suspicious activity with your tax file number.
Keep a record of the activities you take in order to reduce your risk of harm.
What specific information was contained in the breach?
The dataset included the following information, noting that not all members have all of these details in our systems. The information in the dataset was largely from June 2019 and 2020 and included:
- Member Number
- First name
- Email Address
- Home Phone
- Mobile Phone
- Age (but not date of birth)
- Account Balance
The following information has also been identified for a small number of individuals:
- Drivers licence
- Tax file number
- Bank account
- Date of birth
What can be done with the information?
For most people affected there is minimal risk of identify theft or fraud as a result of the limited data set involved in the privacy breach. Typically, 100 points of ID are required for someone to apply for a credit card or take out a loan. This information set does not provide that level of information. There was also no password or password clue information (such as mother's maiden name) or other information typically needed to confirm your identity with a financial institution.
It is possible that the information could be used to contact you in an attempt to get you to disclose further information. This is why we recommend you remain vigilant.
We are contacting a small number of individuals at a greater risk as a matter of priority.
Will you change my member number?
No passwords were accessed through this breach. We are not recommending changing member numbers. Changing account numbers is not necessary and may have unintended consequences, for example implications with any Centrelink entitlements for members in pensions phase.
What is being done to prevent this from happening again?
Spirit Super takes your privacy and the security of our information and systems extremely seriously. Online threats are constantly evolving, and no organisation can completely mitigate these risks. We continue to invest in internal capability, technology, improved internal processes, and staff training to reduce the likelihood and severity of future data breach events. In the immediate term, we will be communicating with all staff and providing guidance on enhanced measures when handling sensitive information, and taking extra precautions around multifactor authentication prompts.
Is there external support available to me?
For our members affected by the data breach, we have engaged specialist care management service IDCARE to provide further support. IDCARE supports members of the community across Australia and New Zealand who have concerns about their identity or related cyber security.
IDCARE will be able to provide members with personalised support and confidential advice. Members will receive their own tailored response plan, a dedicated Identity and Cyber Support Case Manager, counselling sessions with a qualified Identity and Cyber Security Counsellor and ongoing counselling and support. If you would like to access this service, please call us on 1800 005 166 and we will assist you to access their service. For more information about IDCARE, visit www.idcare.org.
Staying safe online
Simple steps and resources to help keep you safe online.
As cyber crime and spam become more sophisticated it is important to be careful when interacting online.
General tips to keep your personal information safe
- Never open attachments or click on links in emails or social media messages from unknown senders.
- Be cautious when answering calls from unfamiliar numbers or talking to or following instructions from someone you do not know.
- Refrain from sharing any personal information until you are certain about who you are sharing it with.
- Change your passwords regularly. Passwords should be long and complex and you should not recycle or reuse passwords across services.
- Don’t store your passwords in your email account, or in documents. Consider using password management software.
- Enable multi-factor authentication for your online accounts wherever possible.
- Ensure you have up-to-date anti-virus software installed on any device used to access online accounts.
- Visit oaic.gov.au/privacy/data-breaches/respond-to-a-data-breach-notification for further guidance about protecting your identity.
Stay Smart Online
Stay Smart Online is the Federal Government’s cyber security education portal. Learn how to improve your personal cyber security at staysmartonline.gov.au.
What can I do to protect myself?
Spirit Super has anti-fraud controls and monitoring services in place on all account transactions. Our processes accommodate the threat of identity fraud and the risk of fraud attempts that may come from a data breach. We have systems in place that monitor all accounts for unusual activity, changes in details, and changes in typical operation.
You can protect your identity by:
- Not sharing personal details like your date of birth publicly;
- Being suspicious of any requests for personal details or government identification;
- Being wary regarding any email, letter or text message from your financial institution that refers to an action (like a password or email change) or transaction you don't recognise. If this happens call your financial service provider via their publicly listed phone number.
- Advising relevant entities (for example, your bank and the ATO) that your data was involved in this data breach, so that they can provide additional safeguards to protect your identity.
We encourage all affected members to monitor information about the data incident and to stay up-to-date with current developments here: https://spiritsuper.com.au/privacy-breach-2022
- Visit the Australian Competition and Consumer Commission’s ScamWatch page and consider subscribing to their alerts
- Visit the Australian Cyber Security Centre’s Stay Smart Online Service for the latest tips on remaining safe online
- Subscribe to IDCARE’s Community Online Newsletter – Cyber Sushi – for the latest trends and advice on what’s impacting the community’s personal information
- Visit the Office of the Australian Information Commissioner’s website where you will find resources on data breaches, your rights, and response options.