iscover 
Sydney-based asset finance fintech youX – a technology platform used by thousands of brokers and the third-party technology system of aggregation group Viking Asset Aggregation – has confirmed that a threat actor has released data that it claims to have obtained from the youX platform.
YouX first revealed on 9 February that it had become aware of claims made by an outside actor regarding its internal systems.
Once identified, the company said it “acted immediately to contain the issue and commenced a detailed investigation with specialist external experts”.
Since then, the fintech has confirmed that “a threat actor has released data that it claims to have obtained as part of its unauthorised access”.
“As a result, we have identified that select personal information may have been compromised,” youX said in a statement to Broker Daily.
What was allegedly taken?
According to threat actors on the dark web, they have allegedly exfiltrated the personal and financial data of 444,538 borrowers, including incomes, debts, government IDs, and home addresses.
The threat actors allege they have taken 629,597 loan applications, as well as hundreds of thousands of texts between brokers and their clients.
In a preview of the data issued on the dark web, the hackers claim to have published data from 149,349 loan applications totalling $3.7 billion submitted to 93 lenders with over 5,000 driver’s licences, residential histories, and employment records.
They also claim to be holding more than 8,000 password hashes for broker employees, as well as data belonging to 797 broker organisations, including ABNs, banking details, staff directories, and full customer portfolios.
The hackers said they had held the data to ransom and would be releasing the full dataset – which reportedly includes nearly half a million borrowers with eight broker companies – over the coming weeks if youX does not pay the ransom. They have already allegedly issued a 'preview' of the data on the dark web.
youX has formally notified the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC). Under the Notifiable Data Breaches (NDB) scheme, Australian entities are required to notify individuals and the regulator if a data breach is likely to result in “serious harm”.
“Now that the incident has evolved, we will proceed with lodging the appropriate regulatory notifications,” youX said.
The fintech added that it has “continued to work closely with specialist external experts to thoroughly examine the nature and scope of the incident”.
At this stage, youX has not provided a specific timeline for when the investigation will be completed, noting that it is “actively engaging with stakeholders and supporting any communication efforts as required to ensure consistent, clear and timely information is provided”.
Its statement continued: “Protecting personal information and maintaining trust remain our highest priorities.
“We have implemented additional security controls and enhanced monitoring across our systems. We are also undertaking further security uplift initiatives to strengthen our environment.
“We regret that this incident has occurred and recognise the importance of transparency. We remain focused on reinforcing and sustaining robust resilience measures across the organisation, consistent with recognised industry standards and best practice frameworks.”
The company has advised any concerned users to reach out via its dedicated Cyber Incident web page on its website.
Viking Asset Aggregation acknowledged the incident.
“Viking Asset is aware that one of our finance technology partners youX has recently experienced an IT security incident that involved unauthorised access to their systems by a third party,” Viking Asset’s general manager, Simon Gwynne, said.
“The youX software platform is available to brokers within the Viking Asset network to support asset finance application management. youX identified unauthorised access to their systems by a third party and immediately initiated an investigation with external experts to address the incident. youX has now confirmed that as a result of the incident, personal information may have been compromised.
“We understand that youX has implemented additional security controls and enhanced monitoring across their systems and are also undertaking further security uplift initiatives to strengthen the environment. The platform remains operational.
“youX have also established a dedicated webpage to respond to questions and provide assistance.
“Viking Asset continues to work closely with youX to actively engage with our stakeholders, supporting any inquiries and will provide updates if any additional relevant information becomes available.”
[Related: Firstmac hacked by ransomware gang]