Super SA, a government-owned superannuation provider in South Australia, has revealed a data breach originating from a “former external service provider,” which has had implications for a limited group of members.
While the breach disclosure was brief, it acknowledged the existence of a “small cohort of members” potentially affected by this cyber security incident. Super SA has taken swift action to safeguard member accounts in response to the data breach, although it remains uncertain whether any Super SA data has been accessed by the unauthorized parties.
As of now, Super SA has not observed any suspicious activities on member accounts. However, in an abundance of caution, the organization has implemented heightened identity theft monitoring and security controls for those members who may be impacted by the breach. The breach’s source was revealed as an outsourced call center operation that previously handled member phone calls during a cybersecurity cleanup in 2019.
Criticism has arisen regarding the time it took for Super SA to publicly disclose the incident, with SA Treasurer Stephen Mullighan expressing concerns over the almost two-month delay in reporting the breach.
Furthermore, it was noted in an examination of Super SA’s “practices, policies, and procedures” from the previous year that the organization’s staff was highly vigilant and focused on potential threats like member fraud and other risks posed by external actors, particularly in the realm of cybersecurity. The examination also revealed that Super SA had engaged Deloitte to conduct audits in areas such as cyber security, fraud risk management, and data governance within the organization’s own systems between 2019 and 2021. This breach underscores the ongoing challenges in safeguarding sensitive member data, with Super SA taking proactive measures to mitigate potential risks and restore trust among its members.