EXCLUSIVE: Hackers who claimed to have stolen 141GB of data from fintech Youx have told Information Age the company agreed to pay a ransom.
Threat actor ‘FulcrumSec’ claimed to have breached Sydney-based finance tech company Youx early last week, according to dark web monitoring platform Daily Dark Web.
In a “breach preview” posted to a popular hacking forum, the group of cybercriminals said it had exfiltrated the “personal and financial data” of 444,538 unique financial borrowers, along with details from 629,597 loan applications.
Notably, the alleged data leak appeared to be taken down within hours of reaching its online hacker audience.
After reaching out to FulcrumSec to ask why its forum post had been removed, Information Age was told Youx had agreed to pay a ransom.
“They finally opened to paying up two hours after the post,” the group said via encrypted messaging app Telegram.
“We want to provide data, but we primarily want to make $$$ from victim companies ;) [sic].”
According to the threat actor’s original forum post, Youx originally turned down an offer to “permanently delete the data for roughly a dollar per affected person”.
When asked whether Youx had indeed paid a ransom, a company spokesperson responded to Information Age with an existing statement.
“Youx confirms that it has identified unauthorised access to its systems, by a third party, as part of an ongoing investigation into an IT security incident,” they said.
“We are now aware that a threat actor has released data that it claims to have obtained as part of its unauthorised access.
“As a result, we have identified that select personal information may have been compromised.”
What was stolen?
After allegedly pilfering “22 production databases”, 141GB from an online storage cluster and 16 gigabytes from something called “prodApply”, the threat actor claimed to have stolen borrowers’ home addresses, incomes, debts, and government IDs.
The breach allegedly constituted “millions of documents”, which further included Australian driver licence numbers, private SMS conversations between brokers and customers, mappings for Vehicle Identification Numbers (VINSs) to license plates, notes on individuals “financial and legal difficulties”, and more.
Fulcrumsec added that data related to some 93 downstream lenders – including prominent banks ANZ, Westpac and Commonwealth Bank of Australia – had been stolen.
Hackers allegedly stole a disastrous amount of data. Source: Daily Dark Web
Some 8,075 password hashes from the employees of brokers who used Youx were also allegedly taken.
“These are active broker accounts…. crack a couple and log right in,” wrote the hackers.
“Each cracked password [equals] a live login to the Youx platform with access to that broker’s customer data.”
Hacker shows restraint
FulcrumSec said it intentionally removed “the most vulnerable individuals’ data” before publication.
This meant Centrelink recipients, temporary visa holders and borrowers in “catastrophic debt” were supposedly spared from the leak.
“Their data is in our possession but not in this preview; nor will it be leaked with the full data set,” the hackers wrote.
“They have it hard enough without having their identities stolen.”
The collective went on to criticise Youx for failing to adequately fix a vulnerability identified by white hat security researcher Jeremiah Fowler in March last year.
Notably, the short-lived preview sample of leaked data allegedly included “$3.7 billion in loan applications across 149,349 records, submitted to 93 lenders, with 5,010 driver’s licences, 5,955 residential histories, and 5,955 employment records”.
Preparing for possible damages
Richard Berkahn, partner at cyber-law firm Atmos, told Information Age current clients of Youx should “prepare as if your data has been impacted and it could be disclosed online”.
Further to enforcing multi-factor authentication and stress-testing existing incident response plans, Berkahn suggested potential victims should map the data they store with Youx and update any dark web and media monitoring tools to ensure they catch any mentions of the incident.
“Listed organisations should also consider their market disclosure obligations in connection with the incident,” said Berkahn.
“Keep detailed documentation evidencing ongoing attempts to obtain information from Youx and attempt to independently verify responses received.”
Berkahn added if the threat actor’s claims “are to be believed”, the potential for data misuse events flowing from disclosed credit and loan applications “could be significant”.
“Bad actors are after information that they can easily monetise by committing identity theft,” he said.
Youx said it has kept the Office of the Australian Information Commissioner “informed throughout this matter” and will commence “appropriate regulatory notifications to affected individuals whose information may have been compromised”.
“We regret that this incident has occurred and recognise the importance of transparency,” a spokesperson said.
“We remain focused on reinforcing and sustaining robust resilience measures across the organisation, consistent with recognised industry standards and best practice frameworks.”
