Australian financial services firm FIIG Securities is facing legal action from the Australian Securities and Investments Commission (ASIC) following a Financial Data Breach. The breach, which exposed sensitive information belonging to 18,000 clients, highlights the critical consequences of neglecting cybersecurity best practices.
According to court documents filed by ASIC in the Federal Court of Australia, FIIG operated with inadequate cybersecurity measures from March 2019 to June 2023, violating its obligations as an Australian Financial Services (AFS) licensee. This lapse in security allowed a hacker to infiltrate FIIG’s IT network and remain undetected for nearly three weeks (May 19 to June 8, 2023). During this time, approximately 385GB of confidential client data was exfiltrated and subsequently released on the dark web.
“The stolen information included highly sensitive customer data such as names, addresses, birth dates, driver’s licenses, passports, bank account details, and tax file numbers.”
ASIC’s statement.
ASIC’s complaint accuses FIIG of failing to implement several basic cybersecurity measures:
- Improper firewall configuration and monitoring.
- Inconsistent and untimely software and operating system updates and patching.
- Lack of regular, mandatory cybersecurity awareness training for staff.
- Inadequate allocation of human, technological, and financial resources for cybersecurity.
The breach originated when a FIIG employee inadvertently downloaded a malicious .zip file while browsing the internet. This malware enabled the attacker to gain remote access, perform lateral movement, and escalate privileges within FIIG’s network.
Within days, the attacker accessed a privileged user account and began downloading data.
“Cybersecurity isn’t a set-and-forget matter. All companies need to proactively and regularly check the adequacy of their cybersecurity measures and follow the advice of the ASD’S ACSC.”
ASIC Chair Joe Longo
ASIC’s complaint includes annexes listing 12 key actions for securing enterprise infrastructure that FIIG failed to implement and six risk management measures it neglected. FIIG reportedly learned of the potential breach on June 2, 2023, from the Australian Cyber Security Centre (ACSC), but didn’t begin a proper investigation until June 8th.
Helpful Reads: