Brand trust on the line after coordinated super cyber attack

Written By Studio Hoopla

On Friday morning, thousands of Australians checked their super balances and saw something that sent their stomachs into freefall:
$0.00.

The message that followed – “Don’t panic if your balance is zero” – did little to stop the panic.

In the days since, we’ve learned that a coordinated cyber attack targeted several major Australian super funds. Hackers used a technique called credential stuffing (relying on previously stolen passwords reused across platforms) to access personal data, and in some cases, steal funds. This wasn’t just a breach in the system. It was also a breach of trust.

And for marketers in finance, it’s a moment worth studying.

Why this breach hit differently

There have been bigger breaches, technically speaking. But this one landed hard, for a few key reasons:

  • Super is built on the promise of security, dependability and long-term thinking. It’s supposed to be the safety net, not the risk.

  • Its impact was real and tangible, with some members seeing their balances drained or disappear entirely.

  • For many members, the first they heard of the breach wasn’t from their fund – it was from the media, social feeds, or the gut-punch of logging in and realising something was wrong.

Where things fell short

Some funds were quiet. Others offered generic messages with little clarity about what happened, what data was exposed or what action members should take. In a breach, time is trust. The longer it takes to hear from your fund, the more customers will assume the worst. Then head to Reddit or the media for answers.

There was also an over-reliance on technical language that didn’t translate to real-world reassurance. “Credential stuffing” means little to a panicked member whose balance is showing zero. In that moment, they don’t want cybersecurity terminology. They want clarity, empathy and direction.

Some funds moved quickly behind the scenes but were slow to communicate with members, employers and other important stakeholders.

Even people who weren’t directly impacted were left wondering: Could I be next? What should I do? Silence or vagueness makes people feel exposed. As it turns out, a lack of reassurance can be as damaging as a breach itself.

What some funds got right

Some super funds acted fast to lock down affected accounts, notify the regulator and issue statements. Most were also clear that their internal systems hadn’t been compromised, but rather that the attacks had leveraged weak or reused passwords. That’s an important distinction, and one that helps de-escalate panic.

It was also encouraging to see funds collaborating with cybersecurity agencies like the Australian Signals Directorate and OAIC. Mentioning these partnerships in communications added much-needed credibility and signalled that funds weren’t handling this alone.

What super funds should be doing right now

Be transparent, even if you don’t have all the answers

If your fund was directly affected, the priority right now should be hyper-transparency. Even if investigations are still underway, members want to hear from you. It’s okay to say “We’re still gathering details” as long as you’re also telling them what you do know, what actions you’ve taken and when they can expect to hear from you again. Uncertainty is forgiveable, silence is not.

Give impacted members personalised clarity

For members who were affected, your communication needs to be personal and detailed. Tell them exactly what data of theirs was accessed, whether any money was stolen, and what you’re doing to protect them now. Whether that’s offering credit monitoring, fast-tracking reimbursements or locking accounts – make it known, and make it clear.

Tell them what you know, and if there is anything you don’t know, tell them what you’re doing to find answers and when you will next contact them with an update. Not only does this confidently signal that you are on top of the issue and its impact, you will reduce pressure on inbound customer service teams.

Show the safeguards in action

This is also the time to show, not just say, that you’re acting on it. If you’ve rolled out new authentication steps, changed protocols or tightened access, share that news loudly and confidently. The visual cues of protection are powerful. Your homepage, app notifications and emails should all carry the same message: we’re on it, and we’re making it safer.

Put a human face on your response

Tone matters. A short, sincere video from your CEO or Head of Member Experience can be more powerful than a 1,000-word press release. People trust people. It helps bring humanity to a moment that feels frightening and faceless.

Make space for questions and concerns

If you haven’t already, consider hosting a live Q&A session or at least publishing a thorough FAQ. Members need to feel like there’s a way to ask questions and be heard. Even just offering the option can reduce anxiety.

Audit your crisis readiness

The real work starts after the dust settles. This is the moment to reassess your crisis communications plan, update your messaging library, brief your spokespeople and comms team, and rehearse for next time. Because unfortunately, there will be a next time.

What funds not affected (yet) should be doing

Get on the front foot with proactive communication

Even if you weren’t caught up in this breach, your members are watching. They’re wondering whether it could happen to them, and whether their fund is doing enough to prevent it.

Now is a smart time to communicate your cybersecurity posture. A short statement or blog post explaining what measures you already have in place – and what you’re doing to strengthen them – can go a long way. 

Reconnect with your purpose

This is also a great time to reinforce your purpose. Super isn’t just a product: it’s your members’ financial future. Grounding your communications in this idea can help you maintain credibility and emotional connection, even when the conversation is about risk and threat.

Empower your members with action steps

Don’t forget to help your members help themselves. Offer them simple, practical ways to strengthen their own account security – like updating passwords, enabling two-factor authentication or spotting scam emails. Create a central hub, share a checklist or build a member-friendly explainer page. It reduces fear and contact centre strain.

Check your own breach response plan

Take this as your cue to audit your readiness. How quickly could your team respond to a breach? Are your holding statements pre-approved and on-brand? Do your spokespeople know how to handle media pressure? Are your comms, brand and legal teams working together or in silos? Answering those questions now could mean everything later.

Trust is built in small moments, and tested in big ones

If you’re a finance marketer, cyberattacks aren’t just IT problems. They’re brand moments.

What you say next matters. How you say it matters more. The funds that act with clarity, humility and care will not only retain trust, they may also deepen it.

And if you’re not sure where to start? That’s where we come in.

Need help preparing for your brand’s worst day? Or responding in the midst of one? Let’s talk.

 

Studio Hoopla
Previous

Meet Lizzie Deller
Next

A brand that feels like home