Loan applications, drivers licences, personal data of 440k Aussies exposed after hacker hits Sydney finance tech company youX

A hacker has exposed personal data belonging to hundreds of thousands of Australians it allegedly stole from a Sydney finance technology company.

Finance platform youX confirmed its systems were accessed by an unauthorised third party during a cyber security incident last week.

The company provides a business technology platform used by dealers and lenders to facilitate finance for vehicles, marine craft, equipment and leisure.

A hacker has claimed to have stolen the personal information from from 444,528 Australian borrowers including addresses, emails, phone numbers, government IDs and credit information.

Another 629,597 loan applications, 229,226 driver’s licence numbers and 607,522 residential addresses were allegedly stolen, along with banking records, customer and staff details from 797 broker organisations.

Australian technology outlet Cyberdaily shared a screenshot of the hacker’s claims on a forum.

In the post, the alleged hacker wrote only a preview of the dataset had been shared - which allegedly contains $3.7bn in loan applications across almost 150,000 records submitted by 93 lenders.

“Among other things, we were able to exfiltrate the personal and financial data of 444,538 unique borrowers – income, debts, government IDs, home addresses – because they trusted their finance brokers, and those brokers made the critical error of trusting youX,” the hacker stated.

A youX spokesman said the company acted immediately to contain the issue and started a detailed investigation with external experts.

“We are now aware that a threat actor has released data that it claims to have obtained as part of its unauthorised access. As a result, we have identified that personal information may have been compromised,” a spokesman said.

“In accordance with our legal obligations, we have kept the Office of the Australian Information Commissioner (OAIC) informed throughout this matter.

“We will also be commencing the appropriate regulatory notifications to affected individuals whose information may have been compromised.

“We are also actively engaging with our stakeholders and supporting any communication efforts as required to ensure consistent, clear and timely information is provided.”