Thousands of FIIG Securities clients had their personal information stolen in a massive data breach that went undetected for nearly three weeks. The cyber attack, which occurred between May 19 and June 8, 2023, resulted in a staggering 385GB of confidential data being swiped from right under their noses.
The breach affected approximately 18,000 clients. Not just names and addresses – the hackers got everything. Birth dates. Driver’s license details. Passport information. Bank account numbers. Even tax file numbers. Pretty much the jackpot for identity thieves.
The cyber theft wasn’t just skin-deep. Hackers grabbed every detail needed to steal 18,000 lives—the identity thief’s dream haul.
What’s worse? FIIG had no clue anything was happening. They only found out when the Australian Cyber Security Centre gave them a heads-up on June 2. Even then, they dragged their feet until June 8 before starting an investigation. Talk about slow reaction times.
The Australian Securities and Investments Commission (ASIC) isn’t happy. They’ve slapped FIIG with a lawsuit filed in Federal Court, seeking declarations of contraventions and civil penalties. This marks only the second time ASIC has taken enforcement action specifically for cybersecurity failures.
According to ASIC, FIIG’s cybersecurity measures were woefully inadequate for over four years. They failed to configure firewalls properly, skipped software updates, and didn’t bother training staff on cybersecurity basics. Classic corner-cutting that finally caught up with them.
The breach apparently started when an employee downloaded malware while browsing the internet. Amateur hour. This allowed hackers to gain remote access to FIIG’s network and eventually access a privileged user account to download data. Some of this sensitive information has already appeared on the dark web. Statistics show 60% of small businesses close within six months of experiencing such breaches, making proper security measures crucial for organizational survival.
FIIG finally took their network offline on June 9 and spent months restoring their IT systems. Too little, too late for their clients whose personal data is now floating around in cyberspace.
The case highlights ASIC’s growing focus on digital safety and serves as a stark reminder of the consequences of cybersecurity negligence in the financial services industry. Under regulations like GDPR, similar breaches could result in fines up to 4% of turnover for companies failing to protect sensitive data. ASIC Chair Joe Longo expressed serious concerns about the company’s delayed response, emphasizing the critical need for proactive cybersecurity measures.
