FIIG Securities fined over $1.2M for 385 GB customer data breach

In 2023, the Australian Securities and Investments Commission (ASIC) fined FIIG Securities, the first financial services licence holder in Australia penalised for a cybersecurity breach, imposing AU$2.5 million (≈CNY 12 million) plus AU$0.5 million in legal costs.

ASIC’s investigation revealed that about 385 GB of internal data were exposed on the internet, containing sensitive client information such as driver’s licence numbers, passport details, bank account numbers and tax identification numbers. FIIG later acknowledged that roughly 18,000 customers could be affected.

The regulator identified multiple security‑compliance shortcomings accumulated over four years, including insufficient financial and technical resources, lack of qualified security personnel, absence of multi‑factor authentication for remote access, weak password policies, inadequate privileged‑account controls, mis‑configured firewalls and security software, and failure to conduct regular penetration testing or vulnerability scans.

ASIC also noted that employees had not received cybersecurity awareness training and that the firm lacked a documented, annually‑tested incident‑response plan. As a result, ASIC ordered mandatory security measures for investment‑licence holders to protect investors from cyber‑risk.

Security researchers linked the attack to the ALPHV ransomware group. In June 2022, FIIG Securities was acquired by AUSIEX, a subsidiary of Nomura Research Institute Australia, whose CEO confirmed the company will comply with the court’s ruling and that no client funds were impacted.