{"id":2326,"date":"2025-03-13T12:30:31","date_gmt":"2025-03-13T12:30:31","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2326"},"modified":"2025-03-13T12:30:31","modified_gmt":"2025-03-13T12:30:31","slug":"australian-financial-firm-hit-with-lawsuit-after-massive-data-breach","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2326","title":{"rendered":"Australian financial firm hit with lawsuit after massive data breach"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Australian financial services firm FIIG Securities faces legal action from the Australian Securities and Investments Commission (ASIC) following a cybersecurity breach that exposed sensitive information of 18,000 clients.<\/p>\n<p>According to court documents filed by ASIC in the Federal Court of Australia, FIIG allegedly operated with inadequate cybersecurity measures from March 2019 to June 2023, violating its obligations as an Australian Financial Services (AFS) licensee.<\/p>\n<p>The regulatory body claims these security failings enabled a hacker to infiltrate FIIG\u2019s IT network and remain undetected for nearly three weeks, from May 19 to June 8, 2023. During this time, the attacker exfiltrated approximately 385GB of confidential data, which was subsequently released on the dark web.<\/p>\n<p>\u201cThe stolen information included highly sensitive customer data such as names, addresses, birth dates, driver\u2019s licenses, passports, bank account details, and tax file numbers,\u201d <a href=\"https:\/\/asic.gov.au\/about-asic\/news-centre\/find-a-media-release\/2025-releases\/25-035mr-asic-sues-fiig-securities-for-systemic-and-prolonged-cybersecurity-failures\/\">ASIC said in a statement<\/a>.<\/p>\n<p>In its complaint, ASIC accused FIIG of failing to implement basic cybersecurity measures at various times, including:<\/p>\n<p>properly configuring and monitoring firewalls to protect against cyber-attacks<\/p>\n<p>updating and patching software and operating systems consistently and in a timely manner<\/p>\n<p>providing regular, mandatory cybersecurity awareness training to staff<\/p>\n<p>allocating inadequate human, technological, and financial resources to manage cybersecurity.<\/p>\n<p>As a result of those failures, ASIC said in its court filing, \u201cA FIIG employee inadvertently downloaded a .zip file containing malware whilst browsing the Internet. The malware allowed a threat actor to remotely access FIIG\u2019s network and perform network-based lateral movement and privilege escalation.\u201d About days later, ASIC said, \u201cThe threat actor obtained access to a privileged user account on FIIG\u2019s network and began downloading FIIG\u2019s data.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Security lessons from the breach<\/h2>\n<p>CISOs wanting to avoid a fate similar to FIIG\u2019s should take note of the <a href=\"https:\/\/download.asic.gov.au\/media\/0ubnrmym\/25-035mr-asic-v-fiig-securities-limited-concise-statement-sealed.pdf\">annexes to ASIC\u2019s complaint<\/a>. These list 12 key actions for securing enterprise infrastructure that FIIG had failed to implement at various times, and six <a href=\"https:\/\/www.csoonline.com\/article\/3839272\/what-is-risk-management-quantifying-and-mitigating-uncertainty.html\">risk management<\/a> measures it had not taken.<\/p>\n<p>FIIG reportedly learned of the potential cybersecurity incident on June 2, 2023, when contacted by the Australian Cyber Security Centre. According to ASIC, the company was unaware of the breach before this notification and did not begin investigating or responding to the incident until June 8 \u2014 almost a week after being alerted.<\/p>\n<p>ASIC Chair Joe Longo emphasized the case should serve as a warning to all companies about the dangers of neglecting cybersecurity systems.<\/p>\n<p>\u201cCybersecurity isn\u2019t a set-and-forget matter,\u201d Longo said in the statement. \u201cAll companies need to proactively and regularly check the adequacy of their cybersecurity measures and follow the advice of the ASD\u2019S ACSC.\u201d<\/p>\n<p>ASIC rarely takes cybersecurity enforcement action. In a previous case it brought in May 2022 the Federal Court ruled that AFS licensee <a href=\"https:\/\/asic.gov.au\/about-asic\/news-centre\/find-a-media-release\/2022-releases\/22-104mr-court-finds-ri-advice-failed-to-adequately-manage-cybersecurity-risks\/\">RI Advice had breached its license obligations<\/a> by failing to have adequate risk management systems for cybersecurity risks.<\/p>\n<p>Nevertheless, Longon noted, \u201cAdvancing digital safety and resilience is a strategic priority for ASIC. We have been actively engaging with companies to support the continuous improvement of cyber and operational resilience practices.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Australian financial services firm FIIG Securities faces legal action from the Australian Securities and Investments Commission (ASIC) following a cybersecurity breach that exposed sensitive information of 18,000 clients. According to court documents filed by ASIC in the Federal Court of Australia, FIIG allegedly operated with inadequate cybersecurity measures from March 2019 to June 2023, violating [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2327,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2326","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2326"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2326"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2326\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2327"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2326"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2326"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2326"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}