A ransomware crew calling themselves FulcrumSec has started leaking data from youX, a vehicle finance and broker platform, after the company refused to pay. As reported by CarExpert, the haul includes 229,236 unique Australian driver licence numbers and the personal records of around 444,000 borrowers. Less reported: the same dump contains data from 797 Australian finance firms — corporate names, ABNs, BSB and account numbers, staff directories, and entire customer portfolios.

That last bit is what should prick the ears of wealth managers, mortgage brokers, and any financial services business that has ever shared client data with a third-party platform. youX’s customers didn’t sign up for youX. Their information ended up there because brokers used the platform.

For Australian wealth managers, this is a textbook third-party risk story with three immediate takeaways. First, your obligations under APP 11 cover personal information you hand off to a service provider — you don’t get to outsource the responsibility, only the operational work. Second, the new mandatory reporting rules under the Cyber Security Act 2024 mean that if your firm has annual turnover above $3 million and is hit by ransomware or extortion, you have 72 hours to report any payment to the ASD. Third, the OAIC has been clear about its 2026 enforcement priorities, and “excessive data collection and retention” is on the list — which is exactly how clean licence images end up in a structured database for years after they were captured.

This week, do four things. Pull a list of every third-party platform that holds your client data. Confirm whether any of your historical broker submissions might have flowed through youX. Ask each provider in writing how they encrypt data at rest and how long they retain identity documents. And review your own retention schedule — if you don’t need a stored licence scan, don’t keep it.

If you’d like a hand running a third-party data audit or tightening your retention controls, the team at All IT Services can help.