Hackers downloaded tax file numbers and passport details as firm ignored known vulnerabilities
The Federal Court imposed a $2.5m penalty on FIIG Securities Limited on February 13, 2026, after cyber attackers breached the company's systems and downloaded 385GB of client data.
In ASIC v FIIG Securities Limited, Justice Derrington declared that FIIG contravened section 912A of the Corporations Act between 13 March 2019 and 8 June 2023 by failing to maintain adequate cybersecurity measures, technological resources, human resources, and risk management systems.
The financial services licensee held between $2.99bn and $3.7bn in client assets during the relevant period. Hackers downloaded approximately 385GB of data from FIIG's servers from 19 May 2023, including clients' tax file numbers, passport details, driver's licenses, Medicare cards, and bank account information.
FIIG knew about the cybersecurity risks but failed to invest adequately in protection. The company spent approximately $1.2m on compliance during the relevant period but now faces remediation costs of $1.5m plus the penalty.
The court found FIIG lacked basic cybersecurity measures across multiple fronts. The company operated without a tested cyber incident response plan from 13 March 2019 to around January 2023. Staff received minimal security training – just two emails about phishing in 2022 and a mention of policies during induction.
FIIG's IT systems had critical gaps. The company failed to install security patches for known vulnerabilities "EternalBlue" and "Blue Keep" for years. User accounts handling privileged access also performed routine tasks, and FIIG stored passwords in plain files on its network rather than using secure methods.
The company ran penetration testing only once during the four-year period, in February 2023. It never conducted regular vulnerability scans and failed to monitor security alerts daily despite installing Carbon Black endpoint detection software on some systems. FIIG employed between 9 and 14 IT staff, but none possessed sufficient cybersecurity expertise or dedicated time to implement adequate measures.
The court noted that failing to ensure adequate cybersecurity measures can result in a failure to provide financial services efficiently and fairly. FIIG's failures meant the company lacked the technological, human, and financial resources required under its Australian Financial Services Licence.
The penalty represents approximately 20 percent of FIIG's net assets and 8 percent of its 2025 turnover. The court found this quantum provides an appropriate deterrent while recognizing FIIG's full cooperation with ASIC.
FIIG admitted the contraventions and agreed to implement a compliance program. The company must engage an independent cybersecurity expert to assess its systems and implement recommended improvements at its own expense. The court also ordered FIIG to pay $500,000 toward ASIC's legal costs.
The maximum penalty available for the contraventions totaled $41.25m.
