Regulator Claims 9,000+ Clients' Data Hit Dark Web in Security Breach
Australia's securities regulator is taking legal action against financial advisory firm Fortnum Private Wealth Limited, alleging the company failed to protect client data that ended up on the dark web.
Data of 9,000+ Clients Allegedly Hit Dark Web After Wealth Firm Cyber Failures
The Australian Securities and Investments Commission (ASIC) filed suit in New South Wales Supreme Court, claiming more than 9,000 clients had their personal information exposed after a cyberattack on one of Fortnum's business partners. The breach allegedly involved over 200 gigabytes of sensitive data being stolen and published online.
ASIC's court filing details how Fortnum allegedly left itself and its network of financial advisors vulnerable to cybercriminals between April 2021 and May 2023. The regulator says the Sydney-based wealth management firm didn't have proper safeguards in place, even as multiple cyber incidents hit its authorized representatives during that period.Joe Longo, the Chairman of ASIC
"Fortnum's alleged failure to adequately manage cybersecurity risks exposed the company, its representatives and their clients to an unacceptable level of risk of a cyber-attack," ASIC Chair Joe Longo said in a statement.
This is yet another case of its kind in recent months. As reported by FinanceMagnates.com in March, ASIC sued FIIG Securities for alleged cybersecurity failures that resulted in a massive data breach, 385 GB of sensitive client data ended up on the dark web.
Potential Cyber Policy Gaps
The case centers on Fortnum's handling of cybersecurity after it rolled out what ASIC considers an inadequate policy in April 2021. Court documents show the company's first cybersecurity framework had significant gaps; it didn't require advisor firms to actually fix problems they identified in self-assessments, and it allowed them to consult outside IT experts without any oversight from Fortnum.
Only 44% of Fortnum's advisor network completed required cybersecurity self-assessments by the September 2021 deadline, according to ASIC's filing. Even fewer, just 11%, finished the required attestation forms confirming they'd implemented proper security measures.
“ASIC has been highlighting the cybersecurity responsibilities of companies. Australian financial services licensees, in particular, hold a range of sensitive and confidential information,” Longo added. “That is why it is one of our enforcement priorities to act where we see licensees fail to have adequate protections.”
You may also like: ASIC Issues Super Scam Alert as $4 Trillion Investment System Targeted
What Went Wrong, According to ASIC
The regulator alleges Fortnum then abandoned enforcement of even these weak requirements in mid-2022 while developing an updated policy, leaving a 12-month gap with no additional protections. The new policy didn't launch until May 2023.
During this period, several of Fortnum's authorized representatives suffered cyberattacks. Beyond the major data breach that exposed thousands of client records, incidents included compromised email accounts, phishing attacks, and hackers sending fraudulent messages from advisor email addresses.
The court documents reveal attackers accessed sensitive client information including identification documents, tax file numbers, bank account details, and credit card information, exactly the type of data cybercriminals target for identity theft and fraud.
ASIC's lawsuit alleges Fortnum violated multiple provisions of the Corporations Act by failing to provide financial services "efficiently, honestly and fairly" and not maintaining adequate risk management systems. The regulator claims the company didn't have employees with cybersecurity expertise and failed to hire qualified consultants when developing its policies.
The case is scheduled for hearing on August 4, 2025. ASIC is seeking both a formal declaration of wrongdoing and financial penalties against Fortnum.