FIIG penalised $2.5m for cyber security failures

Australia's securities and investment commission (ASIC) has succeeded in its application for FIIG Securities to be penalised for a large-scale data breach in 2023 that leaked tens of thousands of the financial institution's customers sensitive data on the internet.

A pecuniary penalty of $2.5 million was ordered by the Federal Court, along with an award of costs amounting to $500,000 against FIIG, ASIC said.

The brokerage alerted customers to the breach in June 2023, with the ALPHV ransomware group believed by security researchers to be behind the attack.

Last year, ASIC sued FIIG, alleging it had failed to implement adequate cyber security measures over a four year period.

That failure enabled hackers to comprise FIIG's network, ASIC alleged.

Some 385 gigabytes of data comprising sensitive information on clients such as driver's licenses, passport information, bank account details and tax file numbers were leaked onto the internet, ASIC said.

Overall, FIIG admited that around 18,000 clients' data may have been compromised in the incident.

FIIG furthermore acknowledged the failures of compliance which prevented earlier detection of the breach.

ASIC said the failures between 2019 and 2023 included examples of FIIG not allocating the necessary financial resources to fund qualified and experienced people, or technological resources to manage cyber security.

Other failures such as not implementing multi-factor authentication (MFA) for remote access were also noted, along with a lack of policies for strong passwords, access controls for privileged accounts, appropriate configuration of firewalls and security software.

Regular penetration testing and vulnerability scanning were among the failures listed by the securities watchdog as well.

Staff were not trained in cyber security awareness, and there wasn't a proper incident response plan that was tested annually, ASIC found.

ASIC requires investment licensees such as FIIG to implement obligatory measures to protects its investor customers against cyber security risks. 

"Cyber-attacks and data breaches are escalating in both scale and sophistication, and inadequate controls put clients and companies at real risk," ASIC deputy chair Sarah Court said in a statement.