Correction on 5 June, 2024: This article originally referred to a data breach that affected ClubsNSW. However, this breach originated from IT provider OutABox and impacted hospitality venues across NSW, only some of which belonged to ClubsNSW. This article has been updated to more accurately describe the origins of the breach and who was affected.
A new data breach affecting New South Wales (NSW) hospitality venues has exposed the details of over one million Australians, heightening their risks of cybercrime and identity fraud. The breach primarily affects those in New South Wales, along with anyone who has visited establishments in the state.
Originally billed as a ClubNSW data breach, it’s worth noting that the breach happened through third-party provider OutABox and impacts numerous businesses, even if they are not part of the ClubNSW network.
Cybercrime Squad detectives have arrested a 46-year-old man from Fairfield West who they say is linked to the breach. Impacting clubs and venues across NSW, personal details like driver’s license details, club membership data, signatures and addresses were compromised and published online.
The breach, which came to light following police raids, is now under intense scrutiny by State Crime Command’s Cybercrime Squad. The investigation has been dubbed Strike Force Division and is still unfolding, while experts warn that the exposure increases the likelihood that the stolen data will be used for scams or fraud.
Let’s dive into what we know now.
The breach has now been directly linked to OutABox, a third-party IT provider that services hospitality venues and casinos in Australia and overseas. The technology is involved in front-of-venue sign-in systems and analysts have identified it as the main point of vulnerability enabling the breach.
As for the specifics of the breach itself, unsurprisingly OutABox hasn’t shared much because investigations are still ongoing. However, in a statement, the business said the breach involved a sign-in system for clients.
Outabox has become aware of a potential breach of data by an unauthorised third party from a sign in system used by our clients… We are restricted by how much information we are able to provide at this stage given it is currently under active police investigation. We will provide further details as soon as we are able to.
A website, allegedly set up by individuals with insider knowledge of the OutABox systems, claims that over a million personal records globally have been compromised. This includes not only names and addresses but also highly sensitive data such as facial recognition metrics, driver’s licenses, signatures and phone numbers.
The website features a search function that allows individuals to check whether their personal information has been affected by the data leak. This not only confirms the breadth of the data compromised but also implicates high-profile victims, including senior government figures such as NSW Premier Chris Minns.
Similar to other major data breaches, including the cyber attacks that impacted Latitude Financial or HWL Ebsworth, both individuals and businesses face higher risks of fraud and cybercrime. These risks don’t just affect those immediately impacted, either – even unrelated individuals and organisations can be targeted using ill-gotten personal details.
Det. Chief Supt. Grant Taylor of the State Crime Command has stated that not all victims have been identified, urging the public to wait for official notifications to confirm if their information was compromised. Meanwhile, efforts are underway to shut down the website that initially leaked the data. However, as of now, the complete extent of accessible data remains unclear.
The breach has also raised questions about the security protocols of third-party IT providers. In this instance, the software affected was widely used during the COVID-19 pandemic for signing in club patrons. Organisations of all kinds can – or should be – reassessing their data retention practices and may need to consider moving away from maximalist positions that see organisations hanging on to as much data as possible, for as long as possible.
Some of the affected venues belong to the ClubsNSW association. ClubsNSW has responded to the crisis by meeting with all impacted clubs to coordinate a response and support efforts to notify and protect club patrons. They’ve also reiterated calls for patrons to be cautious with their digital communications in the coming days.
To combat these risks, any club-goers in NSW or elsewhere in Australia should take stock of their digital security hygiene immediately. This means:
Crowdstrike outage aftermath: Government warnings, scam attempts, and essential steps to safeguard your business from cybercriminals.
See how a Rite Aid data breach compromised 2.2M customers’ data through an elaborate impersonation attack. Learn about the risks and preventive measures.
AT&T’s data breach exposes phone records of 110 million customers in Snowflake cyber incident, highlighting cloud security risks. Learn more.
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.
