444,000+ Australians' Financial Data Exposed By a Company They Didn't Know Had It

On 19 February 2026, Sydney-based fintech platform youX confirmed a data breach exposing the personal and financial records of 444,538 Australians. The exposed data includes income details, government identification documents, home addresses and loan applications.

Most people affected had probably never heard of youX.

youX is an asset finance technology platform used by more than 11,500 dealer and broker users and over 80 accredited lenders across Australia. The platform is built to manage, assess and submit loan applications, facilitating $7.4 billion in finance opportunities each year.

Because of how that system works, hundreds of thousands of Australians had personal financial data sitting inside youX without ever dealing with the company directly.

Reporting on the breach confirms the stolen data includes:

• Government-issued ID documents, including over 229,000 driver's licences

• Income details and loan applications totalling $3.7 billion across nearly 150,000 records

• Home addresses, phone numbers and email addresses

• Banking records from 797 broker organisations

youX has taken the steps required under Australia's Notifiable Data Breaches scheme: notifying the Office of the Australian Information Commissioner (OAIC), contacting affected individuals, and engaging external cybersecurity experts to investigate. These are the right actions to take after a breach, but they do not undo the exposure.

Why This Breach Is Different

What makes this breach particularly significant is not just the volume of data involved. It is how that data got there.

Most of the 444,000 Australians affected were likely unaware that youX held their data at all. Their information ended up there because their broker used the platform as part of a standard loan process.

This is what a supply chain breach looks like. The risk does not come from a company you chose to deal with. It comes from a platform running in the background of a process you trusted someone else to manage. There was no way to know your data was there, and no realistic way to opt out even if you had.

This is also not unique to youX. Finance brokers, mortgage lenders and other financial services providers routinely rely on third-party platforms to process applications. Each of those platforms holds sensitive borrower data, and is a potential point of exposure.

Regulators are paying attention. Just weeks earlier, ASIC secured a $2.5 million penalty against FIIG Securities for cybersecurity failures that exposed the data of 18,000 clients. It was the first time Australia's Federal Court imposed civil penalties of this kind. A penalty does not undo the harm to those affected, but it makes clear that protecting client data is now a legal obligation with real consequences.

What Should You Do?

If you think you may be affected, here is what to do.

1. Find out if your broker uses youX

youX is in the process of contacting affected individuals. If you receive a notification, follow the steps they recommend and take them seriously.

Contact any banks, lenders or brokers you have dealt with and ask whether they use youX. If they do, treat your data as potentially exposed and take the following precautions regardless.

2. Change your passwords

Update passwords on your bank accounts, email and any financial services accounts. If you reuse passwords across multiple accounts, change all of them.

3. Request a new driver's licence card number

You can request your licence card number be reissued. It does not change your licence number, but it invalidates the card number that may have been stolen. Contact your state or territory's roads and transport authority to arrange this.

4. Monitor your accounts

Check your bank accounts and credit history for any activity you do not recognise. You can request a free copy of your credit report.

You can also place a temporary ban on your credit file, preventing new credit being opened in your name without extra verification. It is free and available through the credit reporting agencies directly.

5. Watch for suspicious activity

Be alert to unexpected messages that reference your personal details. Scammers may use real information from this breach to make contact appear legitimate.

6. Report if something seems wrong

If you think your identity has been misused, reach out to your bank or financial institution directly.

How Secure ISS Can Help

Your personal data moves through platforms you may not know exist. If you want to understand your exposure, or if you are part of an organisation looking to protect client data, Secure ISS provides monitoring and governance services built for the Australian market. Get in touch with us today.