If you have applied for a car loan or personal finance through an Australian broker in the last few years, your data may have been exposed. youX, formerly known as Drive IQ, is an Australian fintech platform that processes loan applications on behalf of hundreds of broker organisations and dozens of lenders. In February 2026, the company suffered a serious data breach that compromised the personal and financial details of hundreds of thousands of Australians.

What Is youX and Who Is Affected?

youX is a loan application processing platform used by brokers across Australia. Most people who are affected did not deal with youX directly. They applied for finance through a broker, whose system used youX behind the scenes.

Key Facts About the Breach

• Over 444,000 unique borrowers had their data compromised
• Approximately 797 broker organisations were affected
• 629,000+ loan applications were exfiltrated
• The stolen data represents approximately $3.7 billion in loan applications
• The breach was carried out by the ransomware group FulcrumSec
• youX obtained a Supreme Court of NSW injunction to prevent further data publication

What Data Was Stolen?

The compromised dataset is extensive and highly sensitive. According to cybersecurity researchers and information published by FulcrumSec, the stolen records include:

• Full names, residential addresses, and contact details
• Income, debt, and employment history details
• Over 229,000 Australian driver’s licence numbers
• Bank account and financial information
• 8,075 password hashes belonging to broker employees
• Loan application documents submitted to 93 lenders

What Happened

How the Breach Occurred

FulcrumSec exfiltrated 141 gigabytes of data from a MongoDB Atlas cluster and an additional 16 gigabytes from a secondary system. The breach appears to have involved a misconfigured or inadequately secured database.

This is particularly concerning because youX had previously been warned about a data exposure in March 2025, when a cybersecurity researcher discovered an unprotected Amazon S3 database and MongoDB instance. FulcrumSec alleged that despite youX’s assurances the 2025 issue was resolved, the database remained accessible for approximately ten months after the initial disclosure.

The Timeline

• March 2025 , Researcher discovers unprotected youX database; company claims it was resolved
• February 2026 , FulcrumSec breaches youX systems and exfiltrates 141GB of data
• February 2026 , Negotiations between youX and FulcrumSec break down
• February, May 2026 , FulcrumSec releases preview data publicly
• May 2026 , FulcrumSec announces it will not publish the full dataset, citing risk of mass identity theft
• May 2026 , youX obtains Supreme Court of NSW injunction to prevent further publication

youX’s Response

What the Company Has Done

• Confirmed the breach and acknowledged unauthorised access to its systems
• Commenced direct notification of affected individuals
• Obtained a Supreme Court of NSW injunction restricting further data publication
• Engaged cybersecurity experts to investigate and remediate

youX has not publicly disclosed the full technical details of how the breach occurred. The OAIC is likely examining the matter under the Notifiable Data Breaches scheme, given that the compromised data meets the threshold for serious harm.

What to Do If You Are Affected

If you have applied for vehicle finance, personal loans, or any broker-arranged credit in recent years, your data may have flowed through youX’s platform, even without a direct relationship with the company. Take these steps now:

Immediate Actions

• Watch for a notification from youX , they are contacting affected individuals directly
• Place a credit alert on your file with Equifax, Experian, and illion, this requires lenders to verify your identity before approving new credit
• Check your credit report for any accounts or inquiries you do not recognise
• Consider a driver’s licence ban if your state or territory allows it, contact your state transport authority

Ongoing Vigilance

• Be alert to targeted scams , criminals with your loan details, employer, and income information can craft highly convincing phishing attempts
• Never click links in unexpected emails or SMS messages referencing your finance or loan history
• Verify all communications through official channels before providing any information
• Report suspicious activity to ReportCyber (cyber.gov.au/report) and Scamwatch

Why This Breach Matters Beyond youX

The Supply Chain Risk Problem

Most affected borrowers never chose to use youX. Their data flowed through a platform they had no visibility of because their broker used it. This is supply chain risk in practice, and it applies to every business that passes customer data to third-party vendors.

Key Lessons for Australian Businesses

• You inherit your vendors’ security posture. When you send customer data to a third party, a breach of their systems can become your compliance problem.
• Prior warnings matter. A reported exposure that is not fully remediated creates serious liability when it leads to a breach.
• Court injunctions do not unring the bell. Once data has been exfiltrated and previewed publicly, the risk to affected individuals is ongoing regardless of legal orders.
• Database configuration is foundational. Misconfigured cloud databases remain one of the most common and preventable causes of data exposure.

The Regulatory Exposure

Under the Notifiable Data Breaches scheme, youX is legally required to notify both the OAIC and affected individuals where there is a risk of serious harm. The combination of financial data, government identification, and the involvement of a criminal group with a track record of data publication means the serious harm threshold is clearly met.

General Cybersecurity Advice for Financial Services and Fintech Businesses

What Would Have Helped Prevent This

• Database security audits , regular, independent review of cloud database configuration
• Penetration testing , simulated attacks to identify vulnerabilities before criminals do
• Full remediation of prior disclosures , a reported vulnerability must be fixed and verified, not just acknowledged
• Vendor security assessments , brokers and lenders passing data to third-party platforms should assess those vendors’ security posture
• Incident response planning , a tested plan reduces damage and ensures compliant, timely notification
• Data minimisation , only collect and retain data that is genuinely needed, and delete it when it is no longer required

At Otto IT, we help Australian financial services firms, fintech platforms, and professional services organisations build IT environments that take data security seriously from the foundation up. Whether your business needs a security assessment, help with your Privacy Act obligations, or a clearer view of how your vendors are handling your customers’ data, we can help.

Visit our managed cybersecurity services page to see how we approach security for Australian businesses, or talk to the Otto IT team to start the conversation.

Frequently Asked Questions

How do I know if my data was in the youX breach?

Watch for a direct notification from youX. The company has committed to contacting affected individuals. You can also check whether your email has appeared in known breaches at haveibeenpwned.com. If you applied for vehicle finance or personal loans through an Australian broker in recent years, there is a reasonable chance your data passed through youX’s platform.

Was my payment card or bank account compromised?

The stolen data includes income, debt, and financial details from loan applications, as well as bank account information provided during the application process. It does not appear to include payment card numbers in the traditional sense, but the financial information stolen is extensive and can be used to facilitate identity theft and fraudulent credit applications.

What should I do about my driver’s licence number?

Over 229,000 Australian driver’s licence numbers were stolen in this breach. Contact your relevant state or territory transport authority to ask about options for placing a ban or fraud alert on your licence, which makes it harder for criminals to use it for identity verification.

Has FulcrumSec published all the stolen data?

FulcrumSec stated it would not publish the full dataset, citing concerns about the scale of potential identity theft across Australia. However, the group released a preview of the data publicly before this announcement. The data is in criminal hands and the risk to affected individuals is ongoing.

Is youX still operating?

youX has confirmed it continues to operate and is working with cybersecurity experts to investigate and remediate the breach. It has obtained a court injunction to prevent further publication of the stolen data.

What is the Notifiable Data Breaches scheme and does it apply here?

The Notifiable Data Breaches scheme under Australia’s Privacy Act 1988 requires organisations to notify the Office of the Australian Information Commissioner and affected individuals when a data breach is likely to result in serious harm. Given the sensitivity of the data stolen and the involvement of a criminal group that has published a preview, youX’s obligations under the NDB scheme are clearly engaged.

How can my business avoid a breach like this?

The most important steps are regular security configuration audits of cloud infrastructure, penetration testing to identify vulnerabilities before attackers do, vendor security assessments for any third party that handles your customers’ data, and a tested incident response plan. Talk to Otto IT about a security assessment for your business.