iscover 
On Wednesday (18 February), asset finance fintech youX confirmed an incident in which a threat actor may have taken personal and financial information from brokers and their clients.
The Mortgage and Finance Association of Australia (MFAA) said the youX data breach serves as a timely reminder that cyber security must remain front of mind for mortgage and finance brokers.
The industry body outlined a number of ways that brokers can protect themselves, including multi-factor authentication and cyber insurance.
“Mortgage and finance brokers do handle highly sensitive financial and personal information every day. That makes our sector an attractive target for cyber criminals,” MFAA CEO Anja Pannek said.
“Strong cyber resilience practices are not optional, they are core to running a professional broking practice.
“Multi-factor authentication and cyber insurance, using open banking solutions as opposed to screen scraping, and having a plan in place should your business experience a cyber incident should be a baseline.”
Pannek encouraged all brokers to access the free Cyber Wardens program, a national initiative of the Council of Small Business Organisations of Australia (COSBOA) and the federal government aimed specifically at small businesses.
What happened?
YouX first revealed on 9 February that it had become aware of claims made by an outside actor regarding its internal systems.
Once identified, the company said it “acted immediately to contain the issue and commenced a detailed investigation with specialist external experts”.
According to the threat actors’ post on the dark web, they have allegedly exfiltrated the personal and financial data of 444,538 borrowers, including incomes, debts, government IDs, and home addresses.
This includes 629,597 loan applications, as well as data belonging to 797 broker organisations, including ABNs, banking details, staff directories, and full customer portfolios.
The hackers have allegedly published a 'preview' of the data on the dark web, which already includes 149,349 loan applications totalling $3.7 billion, submitted to 93 lenders.
They said they have held the data to ransom and would be releasing the full dataset over the coming weeks if youX does not pay.
Follow-on impact
Speaking with sister brand Cyber Daily, one cyber expert suggested that the biggest danger of cyber attacks is the follow-on impact.
Cyber security company Rapid7’s director of vulnerability intelligence, Douglas McKee, explained that the reason companies such as youX would be an attractive target for criminal hackers was the same reason the breach could have such a long-lasting impact.
“When you look at what happened with youX, the headline is not just that data was exposed, it is the type of data and the ecosystem it sits in. We are talking about client and broker information in a fintech platform that brokers use as part of their daily workflow. In financial services, platforms like this become aggregation points,” he said.
“They centralise identity documents, contact details, financial context, and sometimes authentication artifacts. That makes them incredibly attractive to threat actors because one compromise can yield a dataset that is immediately monetisable for fraud, phishing, and downstream account takeover.
“Sure enough, once a massive dataset is circulating online, the attack surface extends far beyond the original platform. Brokers, clients, and even partner organisations now have to assume their information may be used in highly targeted social engineering campaigns. The reality of it is that breaches like this are rarely isolated events. They tend to become force multipliers for other criminal activity.”
Mckee added that cyber attacks like these will continue to have knock-on consequences long after the event, as the breach both inspires further assaults and diminishes industry confidence.
He said: “What concerns me most is not just the initial intrusion but the secondary and tertiary impacts. Once threat actors demonstrate they can access and publish large volumes of data, copycat activity and credential stuffing campaigns often follow.
“I have spent a lot of time looking at how attackers chain seemingly small exposures into larger fraud operations, and this is exactly the kind of dataset that enables that. Even if core financial systems were not directly manipulated, the reputational and trust impact can be significant in a broker driven market. This becomes extremely important because trust is the currency in financial services.”
The MFAA also acknowledged that incidents such as this can expose brokers and their clients to follow-on scam activity, making preparedness and response just as important as prevention.
Recognising this risk, the MFAA has developed a comprehensive resource guide for members, available on its website.
[Related: Unchecked AI use could expose brokers to growing risk]