Cyber Incident Victim: FIIG Securities

On or around June 1, 2023, FIIG Securities publicly disclosed it had experienced a cyber incident. The company's response was focused on informing clients of the breach and providing guidance on protective measures, though the exact date of the initial intrusion and the method of attack were not detailed in the public communication. The incident resulted in unauthorized access to sensitive client data held by the company. The compromised information included copies of identification documents provided by clients when opening or maintaining an account. The company stated it believed copies of these documents had been accessed.

The specific types of identification documents affected were driver's licences and passports. For individuals who had supplied passport information as part of their application process, both the passport number and, in some instances, a scanned copy of the passport were exposed. The breach also involved Medicare information. A copy of a client's Medicare card may have been exposed. Furthermore, a Medicare card number belonging to a client, though not an actual copy of the card, was also potentially exposed in the incident. The company noted that tax file numbers were part of the compromised data set. While FIIG stated it generally does not hold client passport details, it acknowledged that for those clients where it did, the information was accessed.

In its official response, FIIG Securities did not identify the specific threat actor responsible for the cyber incident. The public communication did not describe any actions taken by the attackers beyond the unauthorized access and exfiltration of data. There was no mention of ransomware deployment, encryption of systems, or any disruptive activity against operational technology. The primary impact was the compromise of sensitive personal information, creating a significant risk of identity theft and fraud for the affected clients.

The company's response included several immediate actions to support impacted individuals. FIIG announced it would reimburse the cost for clients to replace their driver's licences upon production of a receipt, with this offer valid until August 31, 2023. For passport information, FIIG offered to facilitate a block on the document within the Australian Government's Document Verification Service (DVS) through the Commonwealth Credential Protection Register. This action would prevent the passport number from being used to verify an identity online via the DVS, a service used by government departments and private organizations like banks, while still allowing the physical passport to be used for travel and in-person verification. Clients were instructed to contact their relationship manager or a dedicated phone number to provide consent and their passport details for this process, explicitly advised not to send this information via email.

FIIG provided extensive guidance to clients on steps they could take to protect themselves, though these were presented as recommendations rather than direct response actions taken by the company itself. Clients were advised to exercise heightened caution regarding phishing emails, text messages, and phone calls, and to be wary of potential cyber extortion attempts where scammers might use the dark web data release to demand payment. The company directed individuals to report any extortion attempts to the Australian Cyber Security Centre. Recommendations also included changing passwords regularly and enabling enhanced security measures on bank accounts, such as two-factor authentication, while noting that bank account and BSB numbers alone typically cannot be used to access an account.

For other forms of compromised data, clients were advised to contact the Australian Taxation Office to place additional security measures on their accounts due to the exposure of tax file numbers. To address concerns about identity theft and fraudulent credit applications, clients were recommended to review their consumer credit reports for discrepancies and to consider placing a temporary ban on their credit file with reporting agencies, which would prevent credit providers from accessing their report without consent for 21 days. For concerns related to exposed Medicare information, clients were directed to the Services Australia website for steps on replacing a Medicare card and provided a contact number for the Scams and Identity Theft Helpdesk. The company consistently referred clients to external support services, including ID Care for general guidance on identity document compromises and the national cyber security website, cyber.gov.au.

The compromise of official identity documents represented a severe consequence of the incident, as these documents are foundational for verifying identity across financial services, government benefits, and telecommunications. The exposure of scanned copies, as opposed to just numbers, increased the potential for their misuse in sophisticated fraud schemes. The incident did not, however, affect the physical validity of any driver’s licence or passport for their primary purposes, such as driving or international travel. The long-term impact on clients was framed as an ongoing risk of identity fraud requiring continuous vigilance and monitoring of financial accounts and credit reports. The organizational response was primarily focused on customer support and harm mitigation through reimbursements and facilitating government security measures, rather than detailing technical containment or eradication steps taken on its own corporate network.