Australian financial firm hit with lawsuit after massive data breach

“The stolen information included highly sensitive customer data such as names, addresses, birth dates, driver’s licenses, passports, bank account details, and tax file numbers,” ASIC said in a statement.

In its complaint, ASIC accused FIIG of failing to implement basic cybersecurity measures at various times, including:

• properly configuring and monitoring firewalls to protect against cyber-attacks
• updating and patching software and operating systems consistently and in a timely manner
• providing regular, mandatory cybersecurity awareness training to staff
• allocating inadequate human, technological, and financial resources to manage cybersecurity.

As a result of those failures, ASIC said in its court filing, “A FIIG employee inadvertently downloaded a .zip file containing malware whilst browsing the Internet. The malware allowed a threat actor to remotely access FIIG’s network and perform network-based lateral movement and privilege escalation.” About days later, ASIC said, “The threat actor obtained access to a privileged user account on FIIG’s network and began downloading FIIG’s data.”