Cybersecurity: Morocco, Australia Funds Hacked

Savings Digest - Issue 2

Full magazine

A cyber attack on Morocco’s National Social Security Fund, which is known as Caisse Nationale de Sécurité Sociale (CNSS), is suspected to have compromised the personal data of nearly 2 million employees from thousands of companies in the country, risking unauthorised use of their members' personal data. Various media reports suggested that the attack may have exposed personal data of employees across approximately 500,000 businesses registered with the Morocco Fund.

In a media release, CNSS confirmed that its information system was subjected to a series of cyberattacks aimed at circumventing security measures, noting that these attacks caused a data leak, the origins and scope of which are currently being assessed. However, it also revealed that initial verifications showed that these data were often falsified, inaccurate, or truncated. The attack prompted the country’s National Commission for the Control and Protection of Personal Data to warn of risks linked to the unauthorised use of personal data in the aftermath of the breach of the Fund.

CNSS in the statement urged “all citizens and media to exercise caution, a sense of responsibility, and to avoid any act of disseminating or sharing leaked or falsified data, under penalty of legal consequences.”

Across the oceans in Australia, hackers are reported to have attacked Australia’s major pension funds, compromising over 20,000 member accounts and stealing some members’ savings.  The attacks targeted the cash-rich retirement savings sector, with funds such as AustralianSuper, and Australian Retirement Trust compromised.

The attacks were confirmed by  National Cyber Security Coordinator Michelle McGuinness, who, according to Reuters, said in a statement that cyber criminals targeted accounts in the country’s $2.63 trillion retirement savings sector. The country was organising a response across the government, regulators, and industry.

The Association of Superannuation Funds of Australia, the industry body, confirmed the attack that several funds were impacted. AustralianSuper, Australian Retirement Trust, Rest, Insignia and Hostplus also on April 4, 2025, confirmed they were compromised by the cyberattacks. Worryingly, AustralianSuper, the country’s largest fund with over 3.5 million members, confirmed that up to 600 member passwords had been stolen to access accounts, and there was attempted fraud.

The Fund, however, assured members and the country that it took action and locked the compromised accounts and communicated to affected members, while there has been coordinated remedial action from the Australian Government, industry leaders, and regulators.

Cybersecurity Tips

How schemes can protect members’ data:

• Secure your IT infrastructure – Protect your company's information technology infrastructure by setting up firewalls and encrypting information. Ensure automatic backup of company data regularly, depending on the activity level within your company, which prevents complete data loss in case of a data breach.
• Educate your staff – Regularly train your staff about their obligation to ensure information security, and ensure they adhere to the information security policies in place.
• Create security policies and practices – Put in place company policies to guide your company's IT security practices. Policies may include guidelines on system accessibility,  devices, and issue resolution, flagging, and resolution of potential threats, reward and punishment for policy adherence and breach, respectively.
• Invest in data security professionals – onboard own competent staff, specially trained in technology and information security, or contract world-renowned information security firms.
• Involve partners and customers – involve key customers who may have access to your systems as a result of data sharing agreements and integration requirements. Limit what information they can access and share.
• Be wary of unsolicited emails, messages, and unknown calls – screening mechanisms should be put in place to ensure unsolicited communication does not bypass IT security procedures.  This is more critical in times of crisis or business uncertainty

How can you protect yourself from cybercrime?

• Beware of AI-generated content - Inconsistencies and anomalies in content, such as image and voice distortions, unnatural actions like uncoordinated hand and facial movements, can help pick out AI-generated content
• Secure your home network – if yoy use a home network, get experts to ensure it is secure. Create stronger passwords, limit access to wifi network, and allow only known and trusted users. Protect your equipment – install the latest antivirus software on your equipment and regularly update all your applications
• Keep personal information private – avoid sharing personal information to strangers and even to known associates unless it is justified
• Regularly review your bank statements – look out for unfamiliar and unauthorised transactions. This will enable you to notify your bank or other financial institution in time should your accounts be compromised.