Australia's corporate watchdog has launched federal court proceedings against fixed income specialist FIIG Securities Limited for allegedly maintaining inadequate cybersecurity systems over a four-year period, resulting in a massive data breach that compromised sensitive information of approximately 18,000 clients.

FIIG Securities Faces Federal Court Action After 385GB Data Breach

The Australian Securities and Investments Commission (ASIC) alleges that FIIG's cybersecurity failures, which persisted from March 2019 to June 2023, enabled hackers to infiltrate the firm's IT network and operate undetected for nearly three weeks before the breach was discovered.

According to court documents, the breach resulted in the theft of approximately 385GB of confidential data, including highly sensitive client information such as names, addresses, birth dates, driver's licenses, passports, bank account details, and tax file numbers. Some of this information was subsequently released on the dark web.

"This matter should serve as a wake-up call to all companies on the dangers of neglecting your cybersecurity systems," said ASIC Chair Joe Longo. "Cybersecurity isn't a set and forget matter. All companies need to proactively and regularly check the adequacy of their cybersecurity measures."

Delayed Breach Response Under Scrutiny

The regulator claims FIIG failed to respond promptly when initially notified of potential malicious activity. The company was reportedly contacted by the Australian Signals Directorate's Australian Cyber Security Centre on June 2, 2023, but did not investigate and respond to the incident until June 8, almost a week later.

ASIC's allegations detail multiple cybersecurity failures by FIIG, including improperly configured firewalls, failure to update and patch software for security vulnerabilities, lack of mandatory cybersecurity awareness training for staff, and inadequate resources devoted to cybersecurity management.

Australian financial services licensees are required by law to have adequate cybersecurity risk management systems in place," Longo added. "We allege FIIG's inadequate cybersecurity measures left the business and its confidential client information vulnerable and exposed to significant risk."

FIIG Securities provides retail and wholesale investors with access to fixed income investments and bond financing, serving as a custodian for client investments and maintaining records of those investments. As an Australian Financial Services (AFS) licensee, the firm has legal obligations to ensure financial services are provided efficiently, honestly and fairly, and to maintain adequate risk management systems.

Second Cybersecurity Enforcement

The regulator is seeking declarations of contraventions, civil penalties, and compliance orders against FIIG. This case marks ASIC's second cybersecurity enforcement action, following a 2022 ruling against RI Advice for similar breaches of license obligations.

Cybersecurity failures have become an enforcement priority for ASIC, which has recently called for greater vigilance from Australian organizations following findings from its 2023 cyber pulse survey. The regulator has published various resources to help companies improve their cyber resilience and risk management practices.

FIIG Securities has not yet issued a public response to the allegations.