FIIG Securities Response to Cyber Incident

Based on our investigation, we believe the following types of personal information relating to our institutional clients has been accessed:

• Name; 
• Email address (generally work email address, or personal email address if provided) and date of birth for the authorised contacts of the institutional client.
• For a group of authorised contacts, some additional identity information was also accessed. This is the identity documentation provided when opening the account. This will be either a driver’s licence or passport of the authorised contacts.
• Other personal information that may have been included in documentation provided to us by an institutional client. For example, this may be personal information of the directors of the institutional client, if this was included in the client’s corporate due diligence pack. We do not ask for this information, but it can include the director’s name, director ID, and any identity documentation included in the pack.

We have contacted the authorised contacts of our institutional clients. We are unable at this time to contact any directors whose personal information may have been provided in corporate due diligence packs along with entity documentation. If you are a current or former director of one of FIIG’s current or former institutional clients and you believe your ID documents may have been included in your institution’s due diligence pack we recommend that you take the following steps. 

We do not believe the third-party has accessed any other personal information relating to our institutional clients (for example, we do not collect personal bank account details or TFNs for the authorised contacts of our institutional clients).   

1) Stay Alert to Phishing Emails, text messages and phone calls

Exercise usual caution when replying to emails, phone calls and text messages. Don’t open suspicious texts, pop-up windows or emails, or click on suspicious links or open unusual attachments. Ensure you thoroughly identify callers and don’t divulge personal information to unknown parties.  

2) Change your Passwords Regularly 

We recommend you change your passwords regularly.

3) Identification Documents  

If you provided ID documents upon opening or to maintain your organisation’s account with us, we believe a copy of these documents has been accessed in connection with this incident. Please see recommended steps below if this is the case. 

This incident does not affect the validity of any driver’s licence or passport, and you are still able to use these documents as a valid form of proof of identity. However, out of precaution, you may wish to replace your driver’s licence or put a DVS block on your passport if you have not already renewed or replaced it since initially providing us with those details. Details are provided below for how to replace a driver's license or add a DVS block on your passport.

FIIG will reimburse impacted people the cost to replace (not renew) their driver’s licence until 31 August 2023, upon the production of a receipt. FIIG generally does not hold client passport details; in the event we do, we recommend clients activate the DVS passport blocking service; details are provided below. Please contact your relationship manager or call 1800 01 01 81 to confirm the ID documents FIIG holds before replacing them (if you have not already), or with any other questions on ID replacement cost reimbursement.

We recommend that you review and continue to monitor your consumer credit report for any discrepancies or unusual activity. This is especially relevant if you have also been impacted by other cyber incidents where a broader amount of personal information has been compromised. 

You can apply for an annual free credit report from one of the consumer credit reporting agencies below. You can also consider contacting each of these bodies to place a temporary ban on your credit report. This means that each of these credit reporting agencies will not be able to share your credit report with credit providers without your consent for 21 days, unless extended. This sharing of your credit report is normally required for somebody to take out credit using your identity.

Equifax -  https://www.equifax.com.au/personal/products/credit-and-identity-products

Illion -  https://www.creditcheck.illion.com.au/
Experian  - https://www.experian.com.au/consumer/

4) General Recommendations  

Other steps you can take to protect yourself from the incident include: 

• Turn on two-factor authentication for online accounts where possible, including your email, banking, and social media accounts. 
• Follow good password practice. Please see the Australian Cyber Security Centre’s guidance here: https://www.cyber.gov.au/acsc/view-all-content/publications/creating-strong-passphrases
• Follow the Australian Competition and Consumer Commission’s Scamwatch guidance for protecting yourself from scams here:https://www.scamwatch.gov.au/get-help/protect-yourself-from-scams/

If you need assistance with taking the above steps, please visit cyber.gov.au or contact ID Care on 1800 595 160.

5) Information for individuals who may have supplied passport information

Please note: As part of the application process for becoming a FIIG client or maintaining an account, we sometimes require a passport number and, in some instances, a scanned copy of a passport. 

This incident does not affect the validity of any passport for travel purposes. However, to help prevent the digital misuse of your passport information which may have been exposed in the data breach, we can request to put a block on your passport using the Commonwealth Credential Protection Register (CPR). FIIG can facilitate the CPR registration of your passport through the Department of Home Affairs, and it will no longer verify through the Australian Government Documentation Verification Service (DVS). 

The DVS compares personal information on identity documents against existing government records, such as passports, to help verify identity online. 

Clients with passports that have expired in the past three years can consider opting in for this service, as passports that expired within this period can still be used to verify identity. 

How can I have my passport DVS blocked? 

If you would like to have your passport document number blocked within the DVS service, we need your consent and confirmation of the passport document number to be blocked. Please inform your relationship manager or by calling 1800 01 01 81 by phone with these details – do not provide them in written format via email. 

You will need to provide your first name, last name, email, and passport number, which will be supplied to the Australian Government Documentation Verification Service (DVS), and they will block your passport from verifying online. 

What does having my passport blocked  include?

A blocked passport means that it cannot be used to verify an identity online through the DVS for confirmation of identity checks for government departments and organisations such as banks and telecommunication companies. 

Can I continue to use my passport for travel or identity verification?

If you choose to have your passport blocked, you can continue to use your passport to travel and verify your identity in person, including for government or financial services. You can still book international travel with your passport number online. 

Can I have my passport unblocked?

Once blocked in the DVS system, a passport cannot be unblocked. If you replace or renew your passport, your current document will be voided, and your new document (with a new document number) will safely verify through the DVS.

Can I replace a passport blocked  in the DVS system?

Yes, if you opt to have your passport blocked, you can still choose to replace or renew this document at a later date. More information on replacement and renewal options is available at www.passports.gov.au/getting-passport-how-it-works/special-travel-documents/replacement-passport

What other documents will I be able to use to verify my identity online via the DVS service? 

The DVS service also accepts driver licences and Medicare cards. As long as these documents are not also flagged within the DVS system, they will continue to be able to be used for digital verification. Please note FIIG is unable to block any documents other than passports within the DVS system, including driver's licences. 

Where can I find more information?

For more information on your passport being involved in a data breach, please visit https://www.passports.gov.au/data-breaches

For more information on the Australian Governments Document Verification Service, please visit please see https://www.idmatch.gov.au/our-services

6) Driver’s Licence Information

Please note: As part of the application process, clients may have provided a driver’s license number and, in some instances, a scanned copy of the license. 

If you believe the driver’s licence details provided to FIIG have since expired, then you do not need to consider replacing your new licence.

7) Medicare

Medicare Card Copy

A Medicare card copy belonging to you may have been exposed during the cyber incident.

If you’re concerned or you’ve been affected, the easiest way to replace your Medicare card is by using your Medicare online account through myGov.

The Services Australia website contains helpful information about the steps you can take to replace your card:

www.servicesaustralia.gov.au/databreach

If you are concerned about the security of your Medicare, Centrelink and myGov accounts, you can contact the Scams and Identity Theft Helpdesk on 1800 941 126 (available 8am to 5pm AEDT Monday to Friday).

Medicare Card Number (number only, not card copy)

A Medicare card number belonging to you (not a copy of your Medicare card) may have been exposed during the cyber incident.

People can’t access your Medicare details or Medicare account with just your Medicare card number. To reassure you, unlike a scan or copy of a Medicare card, a Medicare card number by itself cannot be used as a proof of identity.

If you are concerned about the security of your Services Australia accounts, you can contact the Scams and Identity Theft Helpdesk on 1800 941 126 (available 8am to 5pm AEDT Monday to Friday).