As embattled fintech firm youX continues to manage the fallout from a data breach that compromised more than 140 gigabytes of personal financial data, the hacker behind the incident has come forward to say they will not publish any further data.
The hacker – whom Cyber Daily will not name – reached out to several media outlets, including this one, to explain their actions late last month.
“We have decided not to release any youX/Drive IQ data beyond what was shared in the breach preview, out of a desire to avoid the wave of identity theft across Australia this would inevitably enable,” the hacker said.
“We want to be crystal clear on something: this is not due to any action on youX's part. On the contrary, we make this choice in spite of them throwing their partners, lenders, brokers and borrowers under the bus due to their negligence, irresponsibility, and generally incoherent response to this breach.”
The hacker went on to explain that they only leaked the data they had already published to “punish” youX, and to make an example of them.
“We'll say it again. When the cybercriminals take better care of your data than you do, it is time for some serious self-reflection,” the hacker said.
“Once the youX leadership dig themselves out of the ruins of their company, perhaps they'll take the opportunity to do so.”
In a prior update on its clear web leak site, the hacker claimed that youX had been in contact with them to negotiate a solution, which resulted in the initial leak posts being taken down. However, according to the hacker, negotiations failed when a representative of youX issued them with an injunction notice threatening legal action.
“But in spite of our efforts, and the fact we'd immediately removed the posts when they finally contacted us at the right address, they had decided not to engage further,” the hacker said in a February 23 update on their leak site.
“Probably figured they would need the half million dollars we were asking for to pay the legal fees they're about to get slammed with. A shame.”
youX has not responded to Cyber Daily’s inquiries regarding the hacker’s claims, but has said on its website that it is in the process of contacting those impacted by the incident.
“We are now in the process of directly notifying individuals whose personal information has been identified as potentially affected by the recent IT security incident,” youX said in a February 27 update.
“If our review indicates that your information was involved, you will receive direct communication from us. This will include further details about the types of data involved, steps you can take to protect yourself, and information about the support available – including credit monitoring where applicable.”
While youX is contacting its customers, some of its partners have already decided to abandon the platform.
“MotorCycle Holdings Limited has been made aware that a cyber criminal has unlawfully gained access to systems operated by youX, a third-party software platform which the Company uses to facilitate finance applications by some customers,” the motorcycle supplier and wholesaler said in a February 18 update on its website – the same day news initially broke regarding the data breach.
“The customers potentially affected by the Data Incident are customers who financed a vehicle purchase with the assistance of the Company from July 2023 onwards.”
MotorCycle Holdings is now also in the process of contacting its customers who may have been impacted by the breach, but also said that it is no longer working with youX.
“The Company has suspended use of the youX platform,” MotorCycle Holdings said.
“The platform is not material to the Company's ongoing operations and the impact of the breach is not expected to materially affect financial results.”
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.