“The stolen information included highly sensitive customer data such as names, addresses, birth dates, driver’s licenses, passports, bank account details, and tax file numbers,” ASIC said in a statement.
In its complaint, ASIC accused FIIG of failing to implement basic cybersecurity measures at various times, including:
- properly configuring and monitoring firewalls to protect against cyber-attacks
- updating and patching software and operating systems consistently and in a timely manner
- providing regular, mandatory cybersecurity awareness training to staff
- allocating inadequate human, technological, and financial resources to manage cybersecurity.
As a result of those failures, ASIC said in its court filing, “A FIIG employee inadvertently downloaded a .zip file containing malware whilst browsing the Internet. The malware allowed a threat actor to remotely access FIIG’s network and perform network-based lateral movement and privilege escalation.” About days later, ASIC said, “The threat actor obtained access to a privileged user account on FIIG’s network and began downloading FIIG’s data.”