Australia’s
securities regulator is taking legal action against financial advisory firm
Fortnum Private Wealth Limited, alleging the company failed to protect client
data that ended up on the dark web.
Data of 9,000+ Clients Allegedly
Hit Dark Web After Wealth Firm Cyber Failures
The
Australian Securities and Investments Commission (ASIC) filed
suit in New South Wales Supreme Court, claiming more than 9,000 clients had
their personal information exposed after a cyberattack on one of Fortnum’s
business partners. The breach allegedly involved over 200 gigabytes of
sensitive data being stolen and published online.
ASIC’s
court filing details how Fortnum allegedly left itself and its network of
financial advisors vulnerable to cybercriminals between April 2021 and May
2023. The regulator says the Sydney-based wealth management firm didn’t have
proper safeguards in place, even as multiple cyber incidents hit its authorized
representatives during that period.
“Fortnum’s
alleged failure to adequately manage cybersecurity risks exposed the company,
its representatives and their clients to an unacceptable level of risk of a
cyber-attack,” ASIC Chair Joe Longo said in a statement.
This is yet another case of its kind in recent months. As reported by FinanceMagnates.com in March, ASIC sued FIIG Securities for alleged cybersecurity failures that resulted in a massive data breach, 385 GB of sensitive client data ended up on the dark web.
Potential Cyber Policy
Gaps
The case
centers on Fortnum’s handling of cybersecurity after it rolled out what ASIC
considers an inadequate policy in April 2021. Court documents show the
company’s first cybersecurity framework had significant gaps; it didn’t require
advisor firms to actually fix problems they identified in self-assessments, and
it allowed them to consult outside IT experts without any oversight from
Fortnum.
Only 44% of
Fortnum’s advisor network completed required cybersecurity self-assessments by
the September 2021 deadline, according to ASIC’s filing. Even fewer, just 11%, finished
the required attestation forms confirming they’d implemented proper security
measures.
“ASIC has
been highlighting the cybersecurity responsibilities of companies. Australian
financial services licensees, in particular, hold a range of sensitive and
confidential information,” Longo added. “That is why it is one of our
enforcement priorities to act where we see licensees fail to have adequate
protections.”
You may also like: ASIC Issues Super Scam Alert as $4 Trillion Investment System Targeted
What Went Wrong, According
to ASIC
The
regulator alleges Fortnum then abandoned enforcement of even these weak
requirements in mid-2022 while developing an updated policy, leaving a 12-month
gap with no additional protections. The new policy didn’t launch until May
2023.
During this
period, several of Fortnum’s authorized representatives suffered cyberattacks.
Beyond the major data breach that exposed thousands of client records,
incidents included compromised email accounts, phishing attacks, and hackers
sending fraudulent messages from advisor email addresses.
The court
documents reveal attackers accessed sensitive client information including
identification documents, tax file numbers, bank account details, and credit
card information, exactly the type of data cybercriminals target for identity
theft and fraud.
ASIC’s
lawsuit alleges Fortnum violated multiple provisions of the Corporations Act by
failing to provide financial services “efficiently, honestly and
fairly” and not maintaining adequate risk management systems. The
regulator claims the company didn’t have employees with cybersecurity expertise
and failed to hire qualified consultants when developing its policies.
The case is
scheduled for hearing on August 4, 2025. ASIC is seeking both a formal
declaration of wrongdoing and financial penalties against Fortnum.
Australia’s
securities regulator is taking legal action against financial advisory firm
Fortnum Private Wealth Limited, alleging the company failed to protect client
data that ended up on the dark web.
Data of 9,000+ Clients Allegedly
Hit Dark Web After Wealth Firm Cyber Failures
The
Australian Securities and Investments Commission (ASIC) filed
suit in New South Wales Supreme Court, claiming more than 9,000 clients had
their personal information exposed after a cyberattack on one of Fortnum’s
business partners. The breach allegedly involved over 200 gigabytes of
sensitive data being stolen and published online.
ASIC’s
court filing details how Fortnum allegedly left itself and its network of
financial advisors vulnerable to cybercriminals between April 2021 and May
2023. The regulator says the Sydney-based wealth management firm didn’t have
proper safeguards in place, even as multiple cyber incidents hit its authorized
representatives during that period.
“Fortnum’s
alleged failure to adequately manage cybersecurity risks exposed the company,
its representatives and their clients to an unacceptable level of risk of a
cyber-attack,” ASIC Chair Joe Longo said in a statement.
This is yet another case of its kind in recent months. As reported by FinanceMagnates.com in March, ASIC sued FIIG Securities for alleged cybersecurity failures that resulted in a massive data breach, 385 GB of sensitive client data ended up on the dark web.
Potential Cyber Policy
Gaps
The case
centers on Fortnum’s handling of cybersecurity after it rolled out what ASIC
considers an inadequate policy in April 2021. Court documents show the
company’s first cybersecurity framework had significant gaps; it didn’t require
advisor firms to actually fix problems they identified in self-assessments, and
it allowed them to consult outside IT experts without any oversight from
Fortnum.
Only 44% of
Fortnum’s advisor network completed required cybersecurity self-assessments by
the September 2021 deadline, according to ASIC’s filing. Even fewer, just 11%, finished
the required attestation forms confirming they’d implemented proper security
measures.
“ASIC has
been highlighting the cybersecurity responsibilities of companies. Australian
financial services licensees, in particular, hold a range of sensitive and
confidential information,” Longo added. “That is why it is one of our
enforcement priorities to act where we see licensees fail to have adequate
protections.”
You may also like: ASIC Issues Super Scam Alert as $4 Trillion Investment System Targeted
What Went Wrong, According
to ASIC
The
regulator alleges Fortnum then abandoned enforcement of even these weak
requirements in mid-2022 while developing an updated policy, leaving a 12-month
gap with no additional protections. The new policy didn’t launch until May
2023.
During this
period, several of Fortnum’s authorized representatives suffered cyberattacks.
Beyond the major data breach that exposed thousands of client records,
incidents included compromised email accounts, phishing attacks, and hackers
sending fraudulent messages from advisor email addresses.
The court
documents reveal attackers accessed sensitive client information including
identification documents, tax file numbers, bank account details, and credit
card information, exactly the type of data cybercriminals target for identity
theft and fraud.
ASIC’s
lawsuit alleges Fortnum violated multiple provisions of the Corporations Act by
failing to provide financial services “efficiently, honestly and
fairly” and not maintaining adequate risk management systems. The
regulator claims the company didn’t have employees with cybersecurity expertise
and failed to hire qualified consultants when developing its policies.
The case is
scheduled for hearing on August 4, 2025. ASIC is seeking both a formal
declaration of wrongdoing and financial penalties against Fortnum.
This post is originally published on FINANCEMAGNATES.
