03-13-2025, 01:35 PM
News Australian financial firm hit with lawsuit after massive data breach
<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>Australian financial services firm FIIG Securities faces legal action from the Australian Securities and Investments Commission (ASIC) following a cybersecurity breach that exposed sensitive information of 18,000 clients.</p>
<p>According to court documents filed by ASIC in the Federal Court of Australia, FIIG allegedly operated with inadequate cybersecurity measures from March 2019 to June 2023, violating its obligations as an Australian Financial Services (AFS) licensee.</p>
<p>The regulatory body claims these security failings enabled a hacker to infiltrate FIIG’s IT network and remain undetected for nearly three weeks, from May 19 to June 8, 2023. During this time, the attacker exfiltrated approximately 385GB of confidential data, which was subsequently released on the dark web.</p>
<p>“The stolen information included highly sensitive customer data such as names, addresses, birth dates, driver’s licenses, passports, bank account details, and tax file numbers,” <a href="https://asic.gov.au/about-asic/news-centre/find-a-media-release/2025-releases/25-035mr-asic-sues-fiig-securities-for-systemic-and-prolonged-cybersecurity-failures/">ASIC said in a statement</a>.</p>
<p>In its complaint, ASIC accused FIIG of failing to implement basic cybersecurity measures at various times, including:</p>
<ul class="wp-block-list">
<li>properly configuring and monitoring firewalls to protect against cyber-attacks</li>
<li>updating and patching software and operating systems consistently and in a timely manner</li>
<li>providing regular, mandatory cybersecurity awareness training to staff</li>
<li>allocating inadequate human, technological, and financial resources to manage cybersecurity.</li>
</ul>
<p>As a result of those failures, ASIC said in its court filing, “A FIIG employee inadvertently downloaded a .zip file containing malware whilst browsing the Internet. The malware allowed a threat actor to remotely access FIIG’s network and perform network-based lateral movement and privilege escalation.” About days later, ASIC said, “The threat actor obtained access to a privileged user account on FIIG’s network and began downloading FIIG’s data.”</p>
<h2 class="wp-block-heading" id="security-lessons-from-the-breach">Security lessons from the breach</h2>
<p>CISOs wanting to avoid a fate similar to FIIG’s should take note of the <a href="https://download.asic.gov.au/media/0ubnrmym/25-035mr-asic-v-fiig-securities-limited-concise-statement-sealed.pdf">annexes to ASIC’s complaint</a>. These list 12 key actions for securing enterprise infrastructure that FIIG had failed to implement at various times, and six <a href="https://www.csoonline.com/article/3839272/what-is-risk-management-quantifying-and-mitigating-uncertainty.html">risk management</a> measures it had not taken.</p>
<p>FIIG reportedly learned of the potential cybersecurity incident on June 2, 2023, when contacted by the Australian Cyber Security Centre. According to ASIC, the company was unaware of the breach before this notification and did not begin investigating or responding to the incident until June 8 — almost a week after being alerted.</p>
<p>ASIC Chair Joe Longo emphasized the case should serve as a warning to all companies about the dangers of neglecting cybersecurity systems.</p>
<p>“Cybersecurity isn’t a set-and-forget matter,” Longo said in the statement. “All companies need to proactively and regularly check the adequacy of their cybersecurity measures and follow the advice of the thanks’S ACSC.”</p>
<p>ASIC rarely takes cybersecurity enforcement action. In a previous case it brought in May 2022 the Federal Court ruled that AFS licensee <a href="https://asic.gov.au/about-asic/news-centre/find-a-media-release/2022-releases/22-104mr-court-finds-ri-advice-failed-to-adequately-manage-cybersecurity-risks/">RI Advice had breached its license obligations</a> by failing to have adequate risk management systems for cybersecurity risks.</p>
<p>Nevertheless, Longon noted, “Advancing digital safety and resilience is a strategic priority for ASIC. We have been actively engaging with companies to support the continuous improvement of cyber and operational resilience practices.”</p>
</div></div></div></div>
https://www.csoonline.com/article/384509...reach.html
<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>Australian financial services firm FIIG Securities faces legal action from the Australian Securities and Investments Commission (ASIC) following a cybersecurity breach that exposed sensitive information of 18,000 clients.</p>
<p>According to court documents filed by ASIC in the Federal Court of Australia, FIIG allegedly operated with inadequate cybersecurity measures from March 2019 to June 2023, violating its obligations as an Australian Financial Services (AFS) licensee.</p>
<p>The regulatory body claims these security failings enabled a hacker to infiltrate FIIG’s IT network and remain undetected for nearly three weeks, from May 19 to June 8, 2023. During this time, the attacker exfiltrated approximately 385GB of confidential data, which was subsequently released on the dark web.</p>
<p>“The stolen information included highly sensitive customer data such as names, addresses, birth dates, driver’s licenses, passports, bank account details, and tax file numbers,” <a href="https://asic.gov.au/about-asic/news-centre/find-a-media-release/2025-releases/25-035mr-asic-sues-fiig-securities-for-systemic-and-prolonged-cybersecurity-failures/">ASIC said in a statement</a>.</p>
<p>In its complaint, ASIC accused FIIG of failing to implement basic cybersecurity measures at various times, including:</p>
<ul class="wp-block-list">
<li>properly configuring and monitoring firewalls to protect against cyber-attacks</li>
<li>updating and patching software and operating systems consistently and in a timely manner</li>
<li>providing regular, mandatory cybersecurity awareness training to staff</li>
<li>allocating inadequate human, technological, and financial resources to manage cybersecurity.</li>
</ul>
<p>As a result of those failures, ASIC said in its court filing, “A FIIG employee inadvertently downloaded a .zip file containing malware whilst browsing the Internet. The malware allowed a threat actor to remotely access FIIG’s network and perform network-based lateral movement and privilege escalation.” About days later, ASIC said, “The threat actor obtained access to a privileged user account on FIIG’s network and began downloading FIIG’s data.”</p>
<h2 class="wp-block-heading" id="security-lessons-from-the-breach">Security lessons from the breach</h2>
<p>CISOs wanting to avoid a fate similar to FIIG’s should take note of the <a href="https://download.asic.gov.au/media/0ubnrmym/25-035mr-asic-v-fiig-securities-limited-concise-statement-sealed.pdf">annexes to ASIC’s complaint</a>. These list 12 key actions for securing enterprise infrastructure that FIIG had failed to implement at various times, and six <a href="https://www.csoonline.com/article/3839272/what-is-risk-management-quantifying-and-mitigating-uncertainty.html">risk management</a> measures it had not taken.</p>
<p>FIIG reportedly learned of the potential cybersecurity incident on June 2, 2023, when contacted by the Australian Cyber Security Centre. According to ASIC, the company was unaware of the breach before this notification and did not begin investigating or responding to the incident until June 8 — almost a week after being alerted.</p>
<p>ASIC Chair Joe Longo emphasized the case should serve as a warning to all companies about the dangers of neglecting cybersecurity systems.</p>
<p>“Cybersecurity isn’t a set-and-forget matter,” Longo said in the statement. “All companies need to proactively and regularly check the adequacy of their cybersecurity measures and follow the advice of the thanks’S ACSC.”</p>
<p>ASIC rarely takes cybersecurity enforcement action. In a previous case it brought in May 2022 the Federal Court ruled that AFS licensee <a href="https://asic.gov.au/about-asic/news-centre/find-a-media-release/2022-releases/22-104mr-court-finds-ri-advice-failed-to-adequately-manage-cybersecurity-risks/">RI Advice had breached its license obligations</a> by failing to have adequate risk management systems for cybersecurity risks.</p>
<p>Nevertheless, Longon noted, “Advancing digital safety and resilience is a strategic priority for ASIC. We have been actively engaging with companies to support the continuous improvement of cyber and operational resilience practices.”</p>
</div></div></div></div>
https://www.csoonline.com/article/384509...reach.html