Australian fixed-income financial firm FIIG Securities has been fined approximately ₹13.5 crore (AU$2.5 million) after the Federal Court found that it failed to adequately safeguard client data against cyber threats for more than four years. The penalty follows a significant 2023 ransomware attack that resulted in the theft and exposure of highly sensitive personal and financial information belonging to around 18,000 clients.
The ruling marks the first time civil penalties have been imposed for cybersecurity failures under the general obligations of an Australian Financial Services (AFS) licence. In addition to the fine, the court ordered FIIG to pay approximately ₹2.7 crore (AU$500,000) toward enforcement costs incurred by the Australian Securities and Investments Commission (ASIC). The company has also been directed to implement a comprehensive compliance program, including the appointment of an independent cybersecurity expert to oversee improvements in its cyber resilience framework.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Ransomware Attack Exposed 385GB of Confidential Data
The enforcement action stems from a ransomware attack in May 2023. ASIC alleged that between March 2019 and June 2023, FIIG failed to implement and maintain adequate cybersecurity controls, leaving its IT systems vulnerable to intrusion.
On May 19, 2023, an attacker gained access to FIIG’s network and remained undetected for nearly three weeks. During that period, approximately 385 gigabytes of confidential data were exfiltrated. The stolen information included client names, residential addresses, dates of birth, driver’s licence and passport details, bank account information, and tax file numbers.
FIIG later informed around 18,000 clients that their personal information may have been compromised. Notably, the breach was not detected internally. The company became aware of the incident only after being contacted by Australia’s Cyber Security Centre on June 2, 2023. Despite this warning, FIIG reportedly delayed launching a formal internal investigation for six additional days.
Basic Cyber Controls Found Inadequate
According to ASIC, FIIG failed to implement several foundational cybersecurity measures. These included properly configured firewalls, regular patching of software and operating systems, mandatory cybersecurity awareness training for staff, adequate allocation of financial and human resources for cyber risk management, and an up-to-date incident response plan.
Additional shortcomings cited included ineffective privileged access controls, absence of routine vulnerability scanning, lack of endpoint detection and response systems, insufficient deployment of multi-factor authentication, and a poorly configured Security Information and Event Management (SIEM) system.
Regulators stated that adherence to FIIG’s own internal policies and procedures could have significantly reduced the scale of the breach or enabled earlier detection.
ALPHV/BlackCat Ransomware Group Claimed Responsibility
The cyberattack was later claimed by the notorious ransomware group ALPHV/BlackCat, which alleged on the dark web that it had stolen 385GB of data from FIIG’s primary server. The group reportedly warned the company that it had a limited window to respond before facing further consequences.
Security analyses indicate that the group typically gains initial access through compromised credentials, deploys scripts to disable protective mechanisms, and spreads ransomware across networks using malicious tools. The breach reportedly came to light after an employee was locked out of their email account, prompting further investigation that revealed encrypted files and deleted backups.
A Wake-Up Call for Financial Institutions
Regulatory authorities described the case as a clear warning to Australia’s financial sector. Cybersecurity, they stressed, is not a “set-and-forget” function but requires continuous monitoring, investment, and improvement.
Industry experts believe the court’s decision sets an important precedent for regulatory enforcement in cybersecurity governance. It clarifies expectations regarding what constitutes “adequate” cybersecurity controls, particularly for firms handling large volumes of sensitive financial data.
The FIIG case underscores that in the digital era, cybersecurity is not merely a technical requirement but a legal and fiduciary obligation. Companies that fail to proactively protect customer information may now face substantial financial penalties and heightened regulatory scrutiny.
The ruling signals a tougher stance on cyber governance, reinforcing that sustained neglect of security systems can carry serious financial and reputational consequences.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
