Cyber crime

1 million Aussies’ personal details exposed in NSW hospitality data breach

Shanna Hall
4 Min

Correction on 5 June, 2024: This article originally referred to a data breach that affected ClubsNSW. However, this breach originated from IT provider OutABox and impacted hospitality venues across NSW, only some of which belonged to ClubsNSW. This article has been updated to more accurately describe the origins of the breach and who was affected.

A new data breach affecting New South Wales (NSW) hospitality venues has exposed the details of over one million Australians, heightening their risks of cybercrime and identity fraud. The breach primarily affects those in New South Wales, along with anyone who has visited establishments in the state. 

Originally billed as a ClubNSW data breach, it’s worth noting that the breach happened through third-party provider OutABox and impacts numerous businesses, even if they are not part of the ClubNSW network.

Cybercrime Squad detectives have arrested a 46-year-old man from Fairfield West who they say is linked to the breach. Impacting clubs and venues across NSW, personal details like driver’s license details, club membership data, signatures and addresses were compromised and published online.

The breach, which came to light following police raids, is now under intense scrutiny by State Crime Command’s Cybercrime Squad. The investigation has been dubbed Strike Force Division and is still unfolding, while experts warn that the exposure increases the likelihood that the stolen data will be used for scams or fraud. 

Let’s dive into what we know now. 

How did the OutABox data breach happen?

The breach has now been directly linked to OutABox, a third-party IT provider that services hospitality venues and casinos in Australia and overseas. The technology is involved in front-of-venue sign-in systems and analysts have identified it as the main point of vulnerability enabling the breach.

As for the specifics of the breach itself, unsurprisingly OutABox hasn’t shared much because investigations are still ongoing. However, in a statement, the business said the breach involved a sign-in system for clients.

Outabox has become aware of a potential breach of data by an unauthorised third party from a sign in system used by our clients… We are restricted by how much information we are able to provide at this stage given it is currently under active police investigation. We will provide further details as soon as we are able to.

What sort of data has been stolen?

A website, allegedly set up by individuals with insider knowledge of the OutABox systems, claims that over a million personal records globally have been compromised. This includes not only names and addresses but also highly sensitive data such as facial recognition metrics, driver’s licenses, signatures and phone numbers.

The website features a search function that allows individuals to check whether their personal information has been affected by the data leak. This not only confirms the breadth of the data compromised but also implicates high-profile victims, including senior government figures such as NSW Premier Chris Minns.

What risks are involved in the OutABox data breach?

Similar to other major data breaches, including the cyber attacks that impacted Latitude Financial or HWL Ebsworth, both individuals and businesses face higher risks of fraud and cybercrime. These risks don’t just affect those immediately impacted, either – even unrelated individuals and organisations can be targeted using ill-gotten personal details.

Det. Chief Supt. Grant Taylor of the State Crime Command has stated that not all victims have been identified, urging the public to wait for official notifications to confirm if their information was compromised. Meanwhile, efforts are underway to shut down the website that initially leaked the data. However, as of now, the complete extent of accessible data remains unclear.

The breach has also raised questions about the security protocols of third-party IT providers. In this instance, the software affected was widely used during the COVID-19 pandemic for signing in club patrons. Organisations of all kinds can – or should be – reassessing their data retention practices and may need to consider moving away from maximalist positions that see organisations hanging on to as much data as possible, for as long as possible.

ClubsNSW response to the breach and next steps

Some of the affected venues belong to the ClubsNSW association. ClubsNSW has responded to the crisis by meeting with all impacted clubs to coordinate a response and support efforts to notify and protect club patrons. They’ve also reiterated calls for patrons to be cautious with their digital communications in the coming days.

To combat these risks, any club-goers in NSW or elsewhere in Australia should take stock of their digital security hygiene immediately. This means:

  • updating passwords
  • enabling two-factor authentication
  • being vigilant when intercepting calls, messages or emails, even if the sender looks familiar
Lone figure standing in crowd
Check to see if your details have been exposed
If your details have been caught up in a data breach, you – and your business – could be at higher risk of cybercrime or fraud. Use our free email checker to see if your details may be exposed.

Related articles

The new security standard for business payments

End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.