ASIC sues financial services company for repeated hacks

The Australian Securities and Investments Commission (ASIC) today said it has taken RI Advice Group to court for cyber security failings that led to its systems being hacked for months on end, and on multiple occasions.

In its notice of filing [pdf], the regulator says RI is required to establish and maintain compliance measures, as an Australian financial services licence holder.

Nevertheless, RI failed to secure its systems despite being alerted to two security incidents involving its authorised representatives in December 2016 and May 2017.

In those two cases, a computer was infected with ransomware that rendered the files on it inaccessible, and a network being hacked by remote access resulting in a data breach affecting 226 client groups.

RI did not review its cyber security controls and monitoring systems, and around December 30 2017 a hacker broke into a file server at another authorised representative of the company, the Frontier Financial Group or FFG.

The unknown hacker obtained access via an FFG staff account, and spent more than 155 hours logged into the file server that contained senstiive financial information and client identification documents.

A post-mortem by KPMG found someone had tried 2178 usernames, from ten different countries resulting in 27,814 unsuccessful login attempts that went undetected.

KPMG's forensic analysis also found crypto miner malware on the file server, as well as a virtual private network being set up, a peer-to-peer file sharing application, hacking tools and brute-force password cracking software.

FFG did not detect the hack until April 16, 2018 however, and only informed RI on May 15 that year of the breach.

A data breach notification was lodged with the Office of the Australian Information Commissioner on June 4, and FFG told clients of the hack on July 31.

Meanwhile, three clients had complained to FFG that their personal information had been used without authorisation.

This included multiple bank accounts being opened without consent, and a mail redirection application being logged with Australa Post, ASIC said.

FFG investigated the hack and discovered that up to 8104 individuals were potentially exposed in the breach.

Another hack using Trojan Horse malware at RI Shepparton, another authorised representative of RI, took place around May 23, 2018.

In that hack, an unknown party obtained access to an RI Shepparton email account and unsuccessfully requested a book keeper to transfer funds to a Turkish bank.

The hacks at RI authorised representatives continued in the next couple of years, with Empowered Financial Partners having an employees mail account being compromised, and RI Shepparton falling victim to phishing, thanks to poor cyber security status.

ASIC alleges that "RI's risk management systems and resources with respect to cyber security and cyber resilience prior to and as at 15 May 2018 were inadequate."

Five cyber assurance risk reviews by Security In Depth in September 2018 rated three authorised RI representatives as having poor security statuts, with two being rated as fair.

Security In Depth recommended that all RI ARs should under go risk reviews, but this was not implemented.

ASIC is now seeking unspecified pecuniary penalties from RI for the hacks.

RI was part of ANZ's Aligned Dealer Group which also comprised Millennium 3 and Financial Services Partners, until 2018 when it was acquired by ASX-listed IOOF, formerly the Independent Order of Odd Fellows.