RI Advice Group

The Australian Securities and Investments Commission (ASIC) sued RI Advice Group, an IOOF subsidiary, for egregious cybersecurity failures after a hacker spent 155 hours logged into company systems undetected, with passwords found stored in text files on the server desktop.

What Happened

RI Advice Group suffered repeated cyber intrusions between 2014 and 2017, with ASIC's investigation revealing shocking inadequacies in the company's cybersecurity practices. In one incident, an attacker maintained unauthorised access to company systems for 155 hours without detection.

ASIC's investigation uncovered multiple failures including passwords stored in plaintext in text files on server desktops, lack of multi-factor authentication, inadequate intrusion detection systems, and failure to implement basic security controls despite being a financial services provider handling sensitive client information.

The repeated breaches and fundamental security failures led ASIC to take the extraordinary step of launching civil proceedings against the company for failing to do all things necessary to ensure its financial services were provided efficiently, honestly, and fairly.

Impact on Individuals

Clients of RI Advice Group faced risks from the potential exposure of their financial information, personal details, and account credentials. The prolonged unauthorised access meant attackers had ample time to exfiltrate sensitive data.

Organisational Response

Following ASIC's action, parent company IOOF took steps to improve cybersecurity across its subsidiaries. The case became a landmark regulatory action demonstrating that financial regulators would hold companies accountable for cybersecurity failures that put consumers at risk. The proceedings highlighted the need for appropriate cybersecurity standards in the financial services sector.