Police continue investigations into a major alleged data breach that risks the personal details of more than a million club and pub patrons across NSW and puts a cloud over data collection, with clubs warned to ensure they are adhering to privacy obligations.
News broke last week of the suspected breach, linked to third-party IT provider Outabox, which has installed technology including sign-in systems in Australian hospitality venues and overseas casinos.
A website claiming 1,050,169 personal records globally were compromised was set up – seemingly by someone with knowledge of the Outabox systems – claiming personal information, signatures, phone numbers, facial recognition and driver licences, including some belonging to senior figures, such as NSW Premier Chris Minns. Authorities advise people potentially affected should wait for confirmation before replacing driver licences.
“Detectives are working closely with other federal and state agencies to contain the breach and have the site taken offline as a matter of priority,” said Detective Acting Superintendent Gillian Lister of the NSW cybercrime squad.
“Now is the optimal time to make sure your cyber hygiene is good; you have strong passwords and are using two-factor authentication where possible,” advised Lister.
“If you think your details may have been compromised, use extra caution when reviewing emails or texts and never click on a suspicious or unfamiliar link.”
The affected businesses – totalling 17 pubs and clubs – are: Breakers Country Club (Wamberal), Bulahdelah Bowling Club, Central Coast Leagues Club (Gosford), City of Sydney RSL, Club Old Bar, Club Terrigal, East Cessnock Bowling Club, Erindale Vikings, Fairfield RSL, Gwandalan Bowling Club, Halekulani Bowling Club (Budgewoi), Hornsby RSL, Ingleburn RSL Club, Mex Club (Mayfield), The Diggers Club, The Tradies Dickson, West Tradies (Dharruk), and unspecified Merivale venues.
A Merivale spokesperson said they were not aware of any of their patrons’ data being stolen and that the group’s exposure is limited, as their venues use different data systems and pubs do not require sign-in.
ClubsNSW called an emergency meeting with affected venues, advising them to notify patrons whose personal information may have been compromised.
“ClubsNSW is deeply concerned about the security of the data that is the subject of the breach. We have today met with all impacted clubs and are providing whatever support we can,” said a spokesperson.
“We wish to assure club members that additional updates will be provided once further details are confirmed.”
Police learned of the leak on Tuesday evening when Outabox reported to the federal government it had “become aware of a potential breach”. News emerged the next day, as some individuals believed to have been impacted received text messages.
On Thursday strike force detectives executed a search warrant in Fairfield West where they arrested a 46-year-old man. He was transported to Fairfield Police Station and charged with demand with menaces intend obtain gain/cause loss, before being granted conditional bail to appear at Fairfield Local Court.
Sydney-based Outabox was founded in 2017, based in doing business understanding casino players, operators, and technology. It went international in 2018, with installations in Macau and Manilla, into Vietnam in 2019 and the United States in 2022.
The offending website claims Outabox contracted a team of developers in the Philippines, providing access to all the personal data to create and maintain its venues software, backing up all data to the cloud. It says developers were “given access to raw data without any oversight from Outabox”.
However, it also claims Outabox refused to pay the developers for more than a year of work.
Outabox is co-operating with police and released a statement explaining that due to the ongoing investigation “we are not able to provide further information at this time”.
This comes as the latest in a procession of security breaches, affecting customers of Dymocks, Latitude Financial, Medibank and Optus, with some calling the cyberthreats the “new normal”.
The Optus breach in 2022, which affected up to 10 million of its customers, resulted in new legislation that increased penalties for serious or repeated data breaches, broaching fines of $50 million or more. Further to this, the federal government is planning a substantial overhaul of the Privacy Act.
Experts have suggested the Outabox breach may end up as serious as that of Optus, and are asking why pubs and clubs might be required to collect so much personal information and maintain facial recognition systems.
The Australian Information Commissioner’s data breach report counted 483 direct data breach notifications and 121 secondary breaches in the past six months, and noted that external contractors were being seen as a serious “weak spot” in protecting customer privacy.
“We’re absolutely seeing a rise in third party suppliers being the source of data breaches,” said recently appointed privacy commissioner Carly Kind at Privacy Awareness Week.
Kind stresses larger organisations, such as clubs, must ensure they pass on their privacy obligations to third-party suppliers.
The original trial of cashless gaming, at Wests Newcastle, was hacked mid-2023, and as the greatly expanded trial continues to be rolled out the risk of compromise has also greatly increased, leading to questions on what the trial might achieve given its hurdles.
Authorities say people whose IDs have been compromised should contact ID Support NSW.
“It is a criminal offence to deal in stolen personal information. The Australian Government strongly discourages people from looking for or accessing the data impacted, as this just feeds into the business model of those seeking to do us harm,” the National Cyber Security Coordinator posted on social media.
Report any suspected incidents of cybercrime through the Australian Cyber Security Centre or Scamwatch, says Lister.
