Australian Financial Firm FIIG Securities Faces Lawsuit After Massive Financial Data Breach

FIIG Securities faces legal action from ASIC for inadequate cybersecurity, leading to a data breach exposing 18,000 clients' sensitive information. The breach highlights the critical need for robust security measures.
Australian Financial Firm FIIG Securities Faces Lawsuit After Massive Financial Data Breach
Table of Contents
    Add a header to begin generating the table of contents

    Australian financial services firm FIIG Securities is facing legal action from the Australian Securities and Investments Commission (ASIC) following a Financial Data Breach. The breach, which exposed sensitive information belonging to 18,000 clients, highlights the critical consequences of neglecting cybersecurity best practices.

    According to court documents filed by ASIC in the Federal Court of Australia, FIIG operated with inadequate cybersecurity measures from March 2019 to June 2023, violating its obligations as an Australian Financial Services (AFS) licensee. This lapse in security allowed a hacker to infiltrate FIIG’s IT network and remain undetected for nearly three weeks (May 19 to June 8, 2023). During this time, approximately 385GB of confidential client data was exfiltrated and subsequently released on the dark web.

    “The stolen information included highly sensitive customer data such as names, addresses, birth dates, driver’s licenses, passports, bank account details, and tax file numbers.”

    ASIC’s statement.

    ASIC’s complaint accuses FIIG of failing to implement several basic cybersecurity measures:

    • Improper firewall configuration and monitoring.
    • Inconsistent and untimely software and operating system updates and patching.
    • Lack of regular, mandatory cybersecurity awareness training for staff.
    • Inadequate allocation of human, technological, and financial resources for cybersecurity.

    The breach originated when a FIIG employee inadvertently downloaded a malicious .zip file while browsing the internet. This malware enabled the attacker to gain remote access, perform lateral movement, and escalate privileges within FIIG’s network.

    Within days, the attacker accessed a privileged user account and began downloading data.

    “Cybersecurity isn’t a set-and-forget matter. All companies need to proactively and regularly check the adequacy of their cybersecurity measures and follow the advice of the ASD’S ACSC.”

    ASIC Chair Joe Longo

    ASIC’s complaint includes annexes listing 12 key actions for securing enterprise infrastructure that FIIG failed to implement and six risk management measures it neglected. FIIG reportedly learned of the potential breach on June 2, 2023, from the Australian Cyber Security Centre (ACSC), but didn’t begin a proper investigation until June 8th.

    Helpful Reads:

    Related Posts