Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
The financial regulator will pursue Australian investment firm FIIG Securities over a 2023 data breach linked to the Russian ransomware gang ALPHV.
The Australian Securities and Investments Commission (ASIC) has revealed it is suing FIIG Securities regarding alleged cyber security failures in the lead-up and response to a ransomware-related data breach in May and June 2023.
“ASIC alleges from March 2019 to 8 June 2023, FIIG failed to take the appropriate steps, as is required by an Australian Financial Services (AFS) licensee, to ensure it had adequate cyber risk management systems in place,” ASIC said in a 13 March press release, referring to documents filed with the Federal Court of Australia.
According to ASIC, it was this lack of preparedness that allowed a Russian ransomware operator to gain access to FIIG’s network between 19 May and 8 June in 2023. This compromise saw the hackers steal 385 gigabytes of data, which the ALPHV ransomware gang published shortly after.
The stolen data included scans of driver’s licenses and passports, bank details, tax file numbers, and commercially confidential data. In the wake of the data breach, FIIG notified approximately 18,000 clients that their personal data may have been compromised.
FIIG was warned of a potential intrusion by the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) on 2 June, but it was not aware of any network compromise prior to that date. FIIG’s own investigations did not occur until 8 June.
ASIC is seeking “declarations of contraventions, civil penalties and compliance orders” regarding FIIG’s alleged failures to properly configure and monitor its network firewalls, address security vulnerabilities within systems, provide adequate cyber security training to staff, and have the necessary human and technical resources in place to protect the company, its clients, and their data.
“This matter should serve as a wake-up call to all companies on the dangers of neglecting your cyber security systems,” ASIC chair Joe Longo said in a statement.
“Cyber security isn’t a set-and-forget matter. All companies need to proactively and regularly check the adequacy of their cyber security measures and follow the advice of the ASD’s ACSC.
“Australian financial services licensees are required by law to have adequate cyber security risk management systems in place. We allege FIIG’s inadequate cyber security measures left the business and its confidential client information vulnerable and exposed to significant risk.”
At the time of the incident, several worried clients expressed their dismay to the ABC.
“It points to perhaps a certain negligence or complacency on the part of FIIG, which I find rather surprising given the high-profile cases of cyber security incidents we’ve seen in recent years,” one client told the national broadcaster.
“To get right down into the details of whether sensitive information that’s not required is being retained inappropriately, to make sure that sensitive data that’s not needed is securely destroyed.”
FIIG Securities has acknowledged ASIC’s civil proceedings and noted that “no client investments or funds were accessed as a result of the cyber incident”.
“The proceedings relate to that cyber incident only, and there have been no further incidents since May 2023,” a FIIG spokesperson told Cyber Daily.
“FIIG is considering the claims made by ASIC and will respond as appropriate. FIIG does not intend to make any further public comments regarding the proceedings at this time.”
UPDATED 13/03/25 to add comment from FIIG
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
