Australia'ssecurities regulator is taking legal action against financial advisory firmFortnum Private Wealth Limited, alleging the company failed to protect clientdata that ended up on the dark web.Data of 9,000+ Clients AllegedlyHit Dark Web After Wealth Firm Cyber FailuresTheAustralian Securities and Investments Commission (ASIC) filedsuit in New South Wales Supreme Court, claiming more than 9,000 clients hadtheir personal information exposed after a cyberattack on one of Fortnum'sbusiness partners. The breach allegedly involved over 200 gigabytes ofsensitive data being stolen and published online.ASIC'scourt filing details how Fortnum allegedly left itself and its network offinancial advisors vulnerable to cybercriminals between April 2021 and May2023. The regulator says the Sydney-based wealth management firm didn't haveproper safeguards in place, even as multiple cyber incidents hit its authorizedrepresentatives during that period."Fortnum'salleged failure to adequately manage cybersecurity risks exposed the company,its representatives and their clients to an unacceptable level of risk of acyber-attack," ASIC Chair Joe Longo said in a statement.This is yet another case of its kind in recent months. As reported by FinanceMagnates.com in March, ASIC sued FIIG Securities for alleged cybersecurity failures that resulted in a massive data breach, 385 GB of sensitive client data ended up on the dark web. Potential Cyber PolicyGapsThe casecenters on Fortnum's handling of cybersecurity after it rolled out what ASICconsiders an inadequate policy in April 2021. Court documents show thecompany's first cybersecurity framework had significant gaps; it didn't requireadvisor firms to actually fix problems they identified in self-assessments, andit allowed them to consult outside IT experts without any oversight fromFortnum.Only 44% ofFortnum's advisor network completed required cybersecurity self-assessments bythe September 2021 deadline, according to ASIC's filing. Even fewer, just 11%, finishedthe required attestation forms confirming they'd implemented proper securitymeasures.“ASIC hasbeen highlighting the cybersecurity responsibilities of companies. Australianfinancial services licensees, in particular, hold a range of sensitive andconfidential information,” Longo added. “That is why it is one of ourenforcement priorities to act where we see licensees fail to have adequateprotections.”You may also like: ASIC Issues Super Scam Alert as $4 Trillion Investment System TargetedWhat Went Wrong, Accordingto ASICTheregulator alleges Fortnum then abandoned enforcement of even these weakrequirements in mid-2022 while developing an updated policy, leaving a 12-monthgap with no additional protections. The new policy didn't launch until May2023.During thisperiod, several of Fortnum's authorized representatives suffered cyberattacks.Beyond the major data breach that exposed thousands of client records,incidents included compromised email accounts, phishing attacks, and hackerssending fraudulent messages from advisor email addresses.The courtdocuments reveal attackers accessed sensitive client information includingidentification documents, tax file numbers, bank account details, and creditcard information, exactly the type of data cybercriminals target for identitytheft and fraud.ASIC'slawsuit alleges Fortnum violated multiple provisions of the Corporations Act byfailing to provide financial services "efficiently, honestly andfairly" and not maintaining adequate risk management systems. Theregulator claims the company didn't have employees with cybersecurity expertiseand failed to hire qualified consultants when developing its policies.The case isscheduled for hearing on August 4, 2025. ASIC is seeking both a formaldeclaration of wrongdoing and financial penalties against Fortnum.This article was written by Damian Chmiel at www.financemagnates.com.