iscover 
Speaking to co-host Liam Garman on the Finance Specialist podcast, broker coach Trent Carter said the incident highlights how exposed brokers are in an increasingly digitised lending ecosystem and how breaches can undermine their role as trusted advisers.
“This is one of the first times that a data breach has touched so close to home,” Carter said.
“But as brokers, we’re a rich target and sometimes I think a relatively weak target. It’s incumbent on brokers to start thinking about this as a really big issue.”
Last Wednesday (18 February), asset finance fintech youX confirmed an incident in which a threat actor may have taken personal and financial information from brokers and their clients.
According to a post on the dark web, the threat actors allegedly exfiltrated the personal and financial data of 444,538 borrowers, including incomes, debts, government IDs, and home addresses.
This includes 629,597 loan applications, as well as data belonging to 797 broker organisations, including ABNs, banking details, staff directories, and full customer portfolios.
The actors said they have held the data to ransom and would release the full dataset over the coming weeks if youX does not pay.
“This is not an IT issue,” Carter added.
“It’s a revenue issue, it’s a business continuity issue, it’s a compliance issue, it’s a reputation issue in your business.”
Trust under pressure
Garman warned that the real risk lies in what happens after the headlines fade.
“We hear these things in the news and they go away… but they kick on for months and sometimes years,” he said.
“Cyber criminals are patient.”
The pair agreed that the value of the allegedly compromised dataset lies not just in its size, but in its specificity. Loan applications, identity documents, and broker-client communications provide criminals with detailed financial context, making targeted fraud easier.
“What we have online now, potentially up for grabs, is a treasure trove of data,” Garman said.
“This can really paint a picture about where you are in your life financially, also your personal information which allows threat actors to create quite sophisticated phishing campaigns to vulnerable Aussies.
“We’ve seen it in the past, especially in the real estate industry, we’ve seen examples where conveyances have been hacked. And quite literally halfway through an email conversation the actual conveyance loses control of the discussion and it gets picked up by the threat actor. The threat actor at the last second changes a few digits of an account number, changes a few digits of a BSB, and unknowingly, Australians are transferring their entire deposit into an account which is owned by a scammer.”
The alleged theft of broker-client chat logs in the case of youX increases that risk.
“Threat actors really know where you are in the finance process and they’re able to come up with very sophisticated ways of attacking you,” Garman said.
Reputation as a competitive risk
Beyond fraud, Garman emphasised the reputational risk in a broker-driven market.
“Market research has shown that 60–70 per cent of people will never use a business again if you’ve been caught in a data breach,” he said.
“At the end of the day, there are a lot of brokers out there. And in terms of the commodity, in terms of the service, you can move to another broker very simply. So if you’re the broker that’s caught up in a data breach, it’s very reasonable to say that you could very much lose much of your business overnight.”
The responsibility question
The pair cautioned against viewing cyber risk as someone else’s responsibility, whether that be aggregators or third-party providers.
“If you’re the person involved with the initial interface of collection of people’s data … there has to be some level of responsibility,” Carter said.
Garman and Carter said brokers do not need enterprise-level infrastructure to reduce exposure, but they must implement baseline protections such as multi-factor authentication, strong password management, and regular software patching across devices.
There are a variety of ways brokers can protect themselves from data breaches, many of which were outlined in guidance given to Broker Daily by the Mortgage and Finance Association of Australia in the wake of the breach.
Carter stressed that becoming “minimally viable secure” is both low-cost and relatively simple.
“A big thing is attitude in your business,” he continued.
“It doesn’t matter if you’re a one-man band, you’ve got five brokers, or you’ve got 200 brokers, it’s not a small or big business problem, it’s an every business problem.
“Just having an attitude of security is important. If you get those minimum things in place and you make it that bit more difficult, hackers will often just move on to the next target.
“That’s probably the first step that brokers can do is just implement the little things, get tidied up, and then have just a regular check following that, so you know you’ve always got these minimum things in place, and you’re educating everyone around the business.”
[Related: Brokers urged to stop ‘window shopping’ as tech becomes ‘DNA’]