The Australian Securities and Investment Commission (ASIC) is appealing to the Federal Court for failing to uphold a “reasonable standard” for cybersecurity.
ASIC alleges in its court filings that RI Group did not do enough to ensure security. That its representatives secured their clients’ confidential personal and financial details, alleging several incidents in which inadequate cyber-risk management resulted in data breaches and possible fraud attempts.
Between December 2016 and May 2018 – when ANZ Bank still owned RI Group – one of the company’s financial advisers was targeted by ransomware, and remote access ports compromised two.
In one instance, a malicious attacker logged on to the server of a RI Group trustee, the Frontier Trust, 155 hours of operation to access personal data and identity documents. It had taken three months before anyone noticed it.
Three of the clients of the Frontier Trust confirmed that they had attempted identity fraud, including “an application for redirecting mail to Australia Post and opening multiple bank accounts without their consent.”
Three months later and 27 months later, the Frontier Trust announced that they had encountered unlawful use of personal information likely to result from the infringement.
The incident report found significant weaknesses in Frontier Trust’s cyber protection, including that 90% of desktops worked without up-to-date antivirus applications. The mail system had a complete lack of encryption, and no one was making off-site backups, and, shockingly, “passwords and other security details [were] found in text files on the server desktop.”
In September 2018, RI brought a cyber consultant to review the security posture of its other affected officials – three of whom got a ‘poor’ rating.
Compromised Security & Upshots
The incident report found significant weaknesses in Frontier Trust’s cyber safety and security. Including that 90% of desktops worked without up-to-date antivirus applications, the mail system had a complete lack of encryption, and no one was making off-site backups, and, shockingly, “passwords and other security details [were] found in text files on the server desktop.”
“[An] unknown party had been monitoring the [representative] e-mail account for a while and had access to thousands of e-mail addresses and contact details, as well as more than ten thousand e-mails,” ASIC said.
ASIC wants fines of $11 million or 10% of RI’s parent company, the IOOF Group’s annual turnover (whichever is greater) for a total inability to handle the cyber risk properly.
The regulator also aims to require the RI Community to adopt “policies, plans, procedures, strategies, standards, guidelines, frameworks, systems, resources and controls that are reasonably appropriate for the proper management of cybersecurity security and cyber resilience risks” within three months.
Need More Guidance?
Remember, even a single flaw in ensuring proper cybersecurity standards will create a multitude of opportunities for hackers to gain access to confidential data of your company and your clients. Unless you follow all the right approaches in cyber risk management, https://www.cyberneticgi.com/2020/07/22/australia-cyber-hacks/ you won’t be completely secure. In this case, you should do something about proactive mitigation steps to recognize and minimize the threats from being vulnerable to breaches by ensuring maximum security.
Contact our team of professionals at Cybernetic Global Intelligence (CGI), an organization with years of expertise in delivering excellent cybersecurity services. You can either call at 1300 292 376 or, at any time, send a mail to contact@cybernetic-gi.com for assistance.