Aussie fintech youX confirmed this week that it was the victim of a cyber security incident that has impacted almost half a million Australians.
The data impacted is largely financial, alongside driver’s licenses, addresses, and even the details and passwords of hundreds of mortgage brokers and their employees.
A good portion of the data has already been shared on a popular hacking forum, and the hacker is threatening to publish more stolen data in the coming weeks.
However, according to one cyber security expert, the incident need never have happened.
“There are two distinct components related to this incident involving youX that are important to understand,” Satnam Narang, senior staff research engineer at cyber security firm Tenable, told Cyber Daily.
“The first: the cyber hygiene component. The threat actors that stole this data were able to do so because of a lack of proper cyber hygiene, as the database holding personally identifiable information on hundreds of thousands of loan applications was hosted in a MongoDB server, which could have been vulnerable to a known vulnerability or as part of an unprotected database server.”
“The threat actors cited a previous example of a misconfigured Amazon S3 bucket discovered by a security researcher involving the same firm. Whether it was a vulnerability or an unprotected database, the outcome is the same: personally identifiable information has been obtained by a threat actor, and it is being held for ransom.”
According to Narang, extortion-focused attacks like this one are a primary focus of many hackers, who don’t even need to go to the trouble of deploying anything like ransomware or other malware when an organisation’s crown jewels – customer data – is left wide open.
“It just requires the theft of stolen data and the fear of public disclosure to compel compromised organisations to pay up,” Narang said.
He also noted that the second major issue is the risk of follow-on attacks now that so much personal data is in circulation in the criminal ecosystem.
“When personally identifiable information is disclosed, whether it is traded by threat actors or sold to the highest bidders, it can be weaponised for follow-on attacks in the form of phishing and vishing,” Narang said.
“Armed with these sensitive details, attackers gain an unfair advantage when contacting their targets, because they possess knowledge that shouldn’t be available to everyone.”
The CEO of the Mortgage and Finance Association of Australia, Anja Pannek, has also responded to the youX breach, warning brokers of the importance of proper cyber security processes.
“Mortgage and finance brokers do handle highly sensitive financial and personal information every day. That makes our sector an attractive target for cyber criminals,” Pannek told Broker Daily.
“Strong cyber resilience practices are not optional; they are core to running a professional broking practice.
“Multifactor authentication and cyber insurance, using open banking solutions as opposed to screen scraping, and having a plan in place should your business experience a cyber incident, should be a baseline.”
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.