The Australian Securities and Investments Commission (ASIC) said Thursday that it has launched legal action against FIIG Securities for systemic and prolonged cybersecurity failures.
ASIC Sues FIIG Securities for Cybersecurity Failures
The failures allegedly exposed sensitive client data over a four-year period.
According to ASIC, FIIG failed to implement adequate cybersecurity measures between March 2019 and June 2023, allowing a hacker to infiltrate its IT network undetected for nearly three weeks.
This breach resulted in the theft of approximately 385GB of confidential data, affecting 18,000 clients, with some personal information later released on the dark web.
The stolen data is said ot have included names, addresses, birth dates, driver’s licences, passports, bank accounts, and tax file numbers.
FIIG only became aware of the incident after being contacted by the Australian Signals Directorate’s Cyber Security Centre (ASD’s ACSC) on 2 June 2023.
However, ASIC said the company did not begin investigating the breach until 8 June 2023—nearly a week later.
ASIC Chair Joe Longo warned that cybersecurity is not a “set and forget” matter, urging companies to proactively assess and improve their defences.
“We allege FIIG’s inadequate cybersecurity measures left the business and its confidential client information vulnerable and exposed to significant risk,” he said.
ASIC is seeking civil penalties and compliance orders against FIIG for failing to have adequate firewalls, software updates, cybersecurity training, and resources.
The case marks ASIC’s second cybersecurity enforcement action, following a 2022 ruling against RI Advice.
