The Australian Securities and Investment Commission (ASIC) has revealed it is suing FIIG Securities regarding alleged cyber security failures in the lead-up and response to a ransomware-related data breach in May and June of 2023.
“ASIC alleges from March 2019 to 8 June 2023, FIIG failed to take the appropriate steps, as is required by an Australian Financial Services (AFS) licensee, to ensure it had adequate cyber risk management systems in place,” ASIC said in a 13 March press release, referring to documents filed with the Federal Court of Australia.
According to ASIC, it was this lack of preparedness that allowed a Russian ransomware operator to gain access to FIIG’s network 19 between May and 8 June in 2023. This compromise saw the hackers steal 385 gigabytes of data, which the ALPHV ransomware gang published shortly after.
The stolen data included scans of driver’s licenses and passports, bank details, tax files numbers, and commercially confidential data. In the wake of the data breach, FIIG notified approximately 18,000 clients that their personal data may have been compromised.
FIIG was warned of a potential intrusion by the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) on 2 June but was not aware of any network compromise prior to that date. FIIG’s own investigations did not occur until 8 June.
ASIC is seeking “declarations of contraventions, civil penalties and compliance orders” regarding FIIG’s alleged failures to properly configure and monitor its network firewalls, address security vulnerabilities within systems, provide adequate cyber security training to staff, and have the necessary human and technical resources in place to protect the company, its clients and their data.
“This matter should serve as a wake-up call to all companies on the dangers of neglecting your cyber security systems,” ASIC chair Joe Longo said in a statement.
“Cyber security isn’t a set-and-forget matter. All companies need to proactively and regularly check the adequacy of their cyber security measures and follow the advice of the ASD’S ACSC.
“Australian financial services licensees are required by law to have adequate cyber security risk management systems in place. We allege FIIG’s inadequate cyber security measures left the business and its confidential client information vulnerable and exposed to significant risk.”
At the time of the incident, several worried clients expressed their dismay to the ABC.
“It points to perhaps a certain negligence or complacency on the part of FIIG, which I find rather surprising given the high-profile cases of cyber security incidents we’ve seen in recent years,” one client told the national broadcaster.
“To get right down into the details of whether sensitive information that’s not required is being retained inappropriately, to make sure that sensitive data that’s not needed is securely destroyed.”
FIIG Securities has acknowledged ASIC’s civil proceedings and noted that “no client investments or funds were accessed as a result of the cyber incident”.
“The proceedings relate to that cyber incident only and there have been no further incidents since May 2023,” A FIIG spokesperson told InvestorDaily’s sister brand Cyber Daily.
“FIIG is considering the claims made by ASIC and will respond as appropriate. FIIG does not intend to make any further public comments regarding the proceedings at this time.”
