Super SA, the South Australian government-owned superannuation provider, has disclosed a data breach at a “former external service provider” that affects member data.
Super SA administers superannuation schemes for many South Australian public sector employees.
The breach disclosure is brief, simply noting that the provider is “aware [of] a small cohort of members who may have been impacted by a cyber security incident”.
“We are taking an abundance of caution to secure member accounts in the acknowledgement that the data has been breached,” it said.
“However, at this stage it is still unknown if any of the Super SA data has been accessed.”
Super SA said that there had so far been “no indication of suspicious activity” on accounts, but said it had “heightened ID theft monitoring and controls for those who may be impacted” since being informed of the incident.
The ABC reported comments by SA Treasurer Stephen Mullighan to parliament yesterday, that the data is from an outsourced call centre operation that took member phone calls as part of a previous cyber security mop-up in 2019.
Mullighan is also reported to have criticised the time it took SA Super to publicly disclose the incident – almost two months after first learning of it.
Hansard records for SA Parliament for Wednesday had not yet been published.
An examination of Super SA’s “practices, policies and procedures” last year [pdf] showed the entity’s staff were largely awake to and focused on the “potential for member fraud and other threats posed by external actors, such as cyber security threats.”
The same examination noted that Super SA had engaged Deloitte to conduct “cyber security, fraud risk management, and data governance” audits of the entity’s own systems between 2019 and 2021.
About Author
