Home » IT Security & Technology Blog » What the youX Leak Tells Wealth Managers About Third-Party Platforms
Wealth management third-party risk graphic for youX leak article
By — IT Engineer |

A ransomware group called FulcrumSec has just listed Sydney-based fintech youX on its leak site, escalating a breach that’s already exposed roughly 229,000 Australian driver licence numbers and personal records tied to 444,538 borrowers, as reported by CarExpert. The data came from nearly 800 broker organisations that pushed loan applications through youX — borrowers who, in most cases, had never heard of the platform.

Why wealth managers should care

If you’re a financial advisor, mortgage broker, or wealth manager in Australia, this is the breach scenario you’ve been worrying about — only it lands on the back-end you outsourced to. Your clients trust you with their financial life. They don’t see the half-dozen fintech middlewares sitting between you and the lender, custodian, KYC provider, or compliance tool. Under the Privacy Act and the OAIC’s tougher 2026 enforcement posture, you remain accountable for personal information you’ve collected, even when it sits on a vendor’s misconfigured database for ten months.

And the regulatory tail is longer now. Australia’s mandatory ransomware payment reporting regime under the Cyber Security Act moved into Phase 2 enforcement on 1 January 2026 — if your firm turns over more than $3 million a year and ends up paying a ransom (or is aware a payment was made on your behalf), you have 72 hours to report it to the Australian Signals Directorate.

What to do this week

  • Pull the list of every third-party platform that touches client PII — broker portals, KYC/AML tools, advice software, marketing vendors, document repositories.
  • For each one, ask three things: where the data is hosted, what their breach notification SLA is, and whether they carry independent audit reports (SOC 2 Type II, ISO 27001).
  • If a vendor can’t answer those inside a fortnight, that’s your signal — either escalate or replace.
  • Review your own client engagement letters and privacy policy. Most need a refresh to reflect the Phase 2 ransomware reporting obligations and the OAIC’s tightened position on data minimisation.

We work with Australian wealth management firms on exactly this — vendor risk reviews and Privacy Act readiness without slowing your team down.

Posted in Security

About All IT Services

We’re a leading IT specialist providing premium services and support to businesses across Australia’s eastern seaboard. Our strength lies in our size – big enough to tackle complex projects yet small enough to pick up the phone when you call.  At All IT Services, our approach is refreshingly straightforward - no endless wait times or tech jargon. Just real people with genuine passion and expertise in IT solutions.

CONTACT US