FIIG Securities Fined AU$2.5M for Prolonged Cybersecurity Failures Leading to Major Data Breach
Australian fixed-income firm FIIG Securities has been fined AU$2.5 million by the Federal Court after failing to protect client data from cyber threats over a four-year period, culminating in a 2023 ransomware attack that exposed sensitive personal and financial information. The penalty marks the first time the court has imposed civil penalties for cybersecurity failures under an Australian Financial Services (AFS) license.
The breach, attributed to the ALPHV/BlackCat ransomware group, occurred in May 2023 when a hacker infiltrated FIIG’s network and remained undetected for nearly three weeks, exfiltrating 385GB of data. Compromised information included names, addresses, driver’s licenses, passports, bank details, and tax file numbers belonging to 18,000 clients. FIIG only learned of the incident after being alerted by the Australian Signals Directorate’s Cyber Security Centre (ASD’s ACSC) on June 2, delaying its internal investigation by six days.
The court found that FIIG had failed to implement basic cybersecurity measures between March 2019 and June 2023, including:
- Poorly configured firewalls and irregular software patching
- Lack of mandatory cybersecurity training for staff
- Inadequate privileged access management and multi-factor authentication (MFA)
- No up-to-date incident response plan or regular vulnerability scanning
- Ineffective endpoint detection and response (EDR) tools
- A poorly configured Security Information and Event Management (SIEM) system
FIIG admitted to violating its AFS license obligations, acknowledging that stronger controls could have prevented or mitigated the breach. In addition to the fine, the firm was ordered to pay AU$500,000 toward ASIC’s enforcement costs and must now implement a compliance program overseen by an independent cybersecurity expert.
ASIC Deputy Chair Sarah Court emphasized the case as a warning, stating that “inadequate controls put clients and companies at real risk”, while ASIC Chair Joe Longo stressed that cybersecurity requires continuous monitoring, not a “set and forget” approach.
The ALPHV/BlackCat group, known for using compromised credentials, PowerShell scripts, and Cobalt Strike to disable security features, later claimed responsibility for the attack. The breach was discovered only after an employee was locked out of their email, revealing encrypted files and wiped backups. While FIIG restored some systems, critical data was permanently lost.
The case sets a precedent for cybersecurity enforcement in Australia’s financial sector, with experts noting that regulators now expect firms to align protections with data sensitivity, business scale, and potential attack impact.
Source: https://thecyberexpress.com/fiig-cyberattack-au2-5m-fine-fiig-securities/
FIIG Securities cybersecurity rating report: https://www.rankiteo.com/company/fiig-securities
"id": "FII1770717211",
"linkid": "fiig-securities",
"type": "Ransomware",
"date": "5/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '18,000',
'industry': 'Fixed-Income',
'location': 'Australia',
'name': 'FIIG Securities',
'type': 'Financial Services Firm'}],
'attack_vector': ['Compromised credentials',
'PowerShell scripts',
'Cobalt Strike'],
'data_breach': {'data_encryption': 'Yes (files encrypted by ransomware)',
'data_exfiltration': 'Yes (385GB exfiltrated)',
'number_of_records_exposed': '18,000 clients',
'personally_identifiable_information': ['Names',
'Addresses',
'Driver’s licenses',
'Passports',
'Tax file numbers'],
'sensitivity_of_data': 'High (driver’s licenses, passports, '
'bank details, tax file numbers)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Information']},
'date_detected': '2023-06-02',
'description': 'Australian fixed-income firm FIIG Securities was fined AU$2.5 '
'million by the Federal Court for failing to protect client '
'data from cyber threats over a four-year period, culminating '
'in a 2023 ransomware attack that exposed sensitive personal '
'and financial information. The breach, attributed to the '
'ALPHV/BlackCat ransomware group, involved the exfiltration of '
'385GB of data, including names, addresses, driver’s licenses, '
'passports, bank details, and tax file numbers of 18,000 '
'clients.',
'impact': {'data_compromised': '385GB of data',
'financial_loss': 'AU$2.5M fine + AU$500K enforcement costs',
'identity_theft_risk': 'High (exposure of PII, bank details, tax '
'file numbers)',
'legal_liabilities': 'Violation of AFS license obligations',
'operational_impact': 'Critical data permanently lost, systems '
'restored partially',
'payment_information_risk': 'High (exposure of bank details)'},
'initial_access_broker': {'entry_point': 'Compromised credentials'},
'investigation_status': 'Completed (Federal Court ruling)',
'lessons_learned': 'Cybersecurity requires continuous monitoring and cannot '
"be a 'set and forget' approach. Basic measures like MFA, "
'regular patching, and incident response plans are '
'critical to preventing or mitigating breaches.',
'post_incident_analysis': {'corrective_actions': ['Implementation of a '
'compliance program '
'overseen by an independent '
'cybersecurity expert',
'Enhanced cybersecurity '
'measures as per ASIC '
'requirements'],
'root_causes': ['Poorly configured firewalls and '
'irregular software patching',
'Lack of mandatory cybersecurity '
'training',
'Inadequate privileged access '
'management and MFA',
'No up-to-date incident response '
'plan or regular vulnerability '
'scanning',
'Ineffective EDR tools and poorly '
'configured SIEM system']},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes (385GB exfiltrated)',
'ransomware_strain': 'ALPHV/BlackCat'},
'recommendations': ['Implement mandatory cybersecurity training for staff',
'Enforce multi-factor authentication (MFA) and privileged '
'access management',
'Regularly update and patch software',
'Configure firewalls and SIEM systems properly',
'Conduct regular vulnerability scanning',
'Maintain an up-to-date incident response plan',
'Deploy effective endpoint detection and response (EDR) '
'tools'],
'references': [{'source': 'Australian Securities & Investments Commission '
'(ASIC)'}],
'regulatory_compliance': {'fines_imposed': 'AU$2.5M',
'legal_actions': 'Federal Court imposed civil '
'penalties',
'regulations_violated': ['Australian Financial '
'Services (AFS) license '
'obligations']},
'response': {'incident_response_plan_activated': 'Delayed by six days',
'recovery_measures': 'Partial system restoration, but critical '
'data permanently lost',
'remediation_measures': ['Implementation of a compliance program '
'overseen by an independent '
'cybersecurity expert'],
'third_party_assistance': 'Australian Signals Directorate’s '
'Cyber Security Centre (ASD’s ACSC)'},
'stakeholder_advisories': 'ASIC emphasized the need for continuous '
'cybersecurity monitoring and alignment of '
'protections with data sensitivity and business '
'scale.',
'threat_actor': 'ALPHV/BlackCat',
'title': 'FIIG Securities Fined AU$2.5M for Prolonged Cybersecurity Failures '
'Leading to Major Data Breach',
'type': 'Ransomware',
'vulnerability_exploited': ['Poorly configured firewalls',
'Irregular software patching',
'Lack of multi-factor authentication (MFA)',
'Inadequate privileged access management']}