This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Super SA

Summary

Super SA, the South Australian government-owned superannuation provider, disclosed on 17 October 2023 that a former external call centre provider experienced a data breach affecting 14,011 members. The third-party provider, Contact 121, had been contracted in 2020 to handle inquiries from members affected by a separate 2019 breach but retained member data after the contract ended. Super SA became aware of the incident on 1 September 2023 but did not receive confirmation of the breach until 4 October.

What Happened

Contact 121, an Adelaide-based call centre company, was hired by Super SA in 2020 to assist members caught up in a 2019 data incident. After the contract ended, Contact 121 retained data about Super SA members dating back to 2020 or earlier.

In September 2023, this legacy data was compromised in a cyberattack targeting Contact 121's systems. Super SA became aware of the cyber security incident on 1 September 2023, but the organisation did not receive confirmation that a breach had occurred until 4 October 2023. The breach was publicly disclosed on 17 October 2023, approximately one and a half months after initial awareness.

Impact on Individuals

The breach affected 14,011 Super SA members whose information had been shared with Contact 121 during the 2020 engagement. Compromised data included names, addresses, and dates of birth. Importantly, none of the compromised data was more recent than 2020.

The delay in notification—with the South Australian Treasurer not being informed until late October, nearly two months after Super SA's initial awareness—raised concerns about transparency and timely communication to affected members.

Organisational Response

Super SA publicly disclosed the third-party breach on 17 October 2023 and notified affected members. The organisation emphasised that the breach involved a former service provider rather than Super SA's own systems.

The incident raised broader questions about data retention practices by third-party contractors and the importance of ensuring contract terms mandate data destruction when services conclude. The significant delay between Super SA learning of the incident (1 September) and public disclosure (17 October) prompted calls for swifter cyber incident response protocols in the South Australian government.

Verification Source: View original statement