A man has been arrested, as police continue to investigate a major alleged data breach that risks the personal details of patrons of clubs and pubs across NSW and puts a cloud over data collection.
News broke on Wednesday of a suspected breach, linked to third-party IT provider Outabox, which has installed technology including sign-in systems in Australian hospitality venues and overseas casinos.
Escalating the threat is that a website claiming 1,050,169 personal records globally were compromised has been set up – seemingly by someone with knowledge of the Outabox systems.
The website claims data such as personal information, signatures, phone numbers, facial recognition, and driver licences, counting personal details of senior figures, such as NSW Premier Chris Minns. Many people will need to replace affected documents.
“Detectives are working closely with other federal and state agencies to contain the breach and have the site taken offline as a matter of priority,” said Detective Acting Superintendent Gillian Lister of the NSW cybercrime squad.
“Now is the optimal time to make sure your cyber hygiene is good; you have strong passwords and are using two-factor authentication where possible,” advised Lister.
“If you think your details may have been compromised, use extra caution when reviewing emails or texts and never click on a suspicious or unfamiliar link.”
The affected businesses – totalling 17 pubs and clubs – are: Breakers Country Club (Wamberal), Bulahdelah Bowling Club, Central Coast Leagues Club (Gosford), City of Sydney RSL, Club Old Bar, Club Terrigal, East Cessnock Bowling Club, Erindale Vikings, Fairfield RSL, Gwandalan Bowling Club, Halekulani Bowling Club (Budgewoi), Hornsby RSL, Ingleburn RSL Club, Mex Club (Mayfield), The Diggers Club, The Tradies Dickson, West Tradies (Dharruk), and unspecified Merivale venues.
A Merivale spokesperson said they were not aware of any of their patrons’ data being stolen and that the group’s exposure is limited, as their venues use different data systems and pubs do not require sign-in.
ClubsNSW called an emergency meeting with affected venues, advising them to notify patrons whose personal information may have been compromised.
“ClubsNSW is deeply concerned about the security of the data that is the subject of the breach. We have today met with all impacted clubs and are providing whatever support we can,” said a spokesperson.
“We wish to assure club members that additional updates will be provided once further details are confirmed.”
Police learned of the leak on Tuesday evening when Outabox reported to the federal government it had “become aware of a potential breach”.
News emerged the next day, with some individuals believed to have been impacted receiving text messages.
On Thursday strike force detectives executed a search warrant in Fairfield West where they arrested a 46-year-old man. He was transported to Fairfield Police Station and charged with demand with menaces intend obtain gain/cause loss, before being granted conditional bail to appear at Fairfield Local Court.
Sydney-based Outabox was founded in 2017, based in doing business understanding casino players, operators, and technology. It went international in 2018, with installations in Macau and Manilla, into Vietnam in 2019 and the United States in 2022.
It’s thought the Australian venues’ systems were configured by a third-party overseas contractor, which had access to all the personal data, and that there may have been some disagreement between the two organisations. A police investigation is looking into the matter.
Outabox is co-operating with police and released a statement.
“Due to the ongoing Australian police investigation, we are not able to provide further information at this time.”
This comes as the latest in a procession of security breaches, affecting customers of Dymocks, Latitude Financial, Medibank and Optus, with some calling the cyberthreats the “new normal”.
The Optus breach in 2022, which affected up to 10 million of its customers, resulted in new legislation that increased penalties for serious or repeated data breaches, broaching fines of $50 million or more.
Experts have suggested the Outabox breach may end up as serious as that of Optus, and are asking why pubs and clubs might be required to collect so much personal information and maintain facial recognition systems.
The original trial of cashless gaming, at Wests Newcastle, was hacked mid-2023, and as the greatly expanded trial continues to be rolled out the risk of compromise has also greatly increased, leading to questions on what the trial might achieve given its hurdles.
Authorities say people whose IDs have been compromised should contact ID Support NSW.
“It is a criminal offence to deal in stolen personal information. The Australian Government strongly discourages people from looking for or accessing the data impacted, as this just feeds into the business model of those seeking to do us harm,” the National Cyber Security Coordinator posted on social media.
Report any suspected incidents of cybercrime through the Australian Cyber Security Centre or Scamwatch, says Lister.