See if your information has been exposed in a data breach with our latest free tool Check Now
Cyber crime

1 million Aussies’ personal details exposed in ClubsNSW data breach

Shanna Hall
3 Min

A new data breach has exposed the details of over one million Australians, heightening their risks of cybercrime and identity fraud. The breach primarily affects those in New South Wales, along with anyone who has visited establishments in the state. 

Cybercrime Squad detectives have arrested a 46-year-old man from Fairfield West who they say is linked to the breach. Impacting clubs and venues across NSW, personal details like driver’s license details, club membership data, signatures and addresses were compromised and published online.

The breach, which came to light following police raids, is now under intense scrutiny by State Crime Command’s Cybercrime Squad. The investigation has been dubbed Strike Force Division and is still unfolding, while experts warn that the exposure increases the likelihood that the stolen data will be used for scams or fraud. 

Let’s dive into what we know now. 

How did the ClubsNSW data breach happen? 

The breach has now been directly linked to Outabox, a third-party IT provider that services hospitality venues and casinos in Australia and overseas. The technology is involved in front-of-venue sign-in systems and analysts have identified it as the main point of vulnerability enabling the breach.

What sort of data has been stolen? 

A website, allegedly set up by individuals with insider knowledge of the Outabox systems, claims that over a million personal records globally have been compromised. This includes not only names and addresses but also highly sensitive data such as facial recognition metrics, driver’s licenses, signatures and phone numbers. 

The alleged Outabox website features a search function that allows individuals to check whether their personal information has been affected by the data leak. This not only confirms the breadth of the data compromised but also implicates high-profile victims, including senior government figures such as NSW Premier Chris Minns.

What risks are involved in the ClubsNSW data breach?

Similar to other major data breaches, including the cyber attacks that impacted Latitude Financial or HWL Ebsworth, both individuals and businesses face higher risks of fraud and cybercrime. These risks don’t just affect those immediately impacted, either – even unrelated individuals and organisations can be targeted using ill-gotten personal details. 

Det. Chief Supt. Grant Taylor of the State Crime Command has stated that not all victims have been identified, urging the public to wait for official notifications to confirm if their information was compromised. Meanwhile, efforts are underway to shut down the website that initially leaked the data. However, as of now, the complete extent of accessible data remains unclear.

The breach has also raised questions about the security protocols of third-party IT providers. In this instance, the software affected was widely used during the COVID-19 pandemic for signing in club patrons. Organisations of all kinds can – or should be – reassessing their data retention practices and may need to consider moving away from maximalist positions that see organisations hanging on to as much data as possible, for as long as possible.

ClubsNSW response to the breach and next steps

ClubsNSW has responded to the crisis by meeting with all impacted clubs to coordinate a response and support efforts to notify and protect club patrons. They’ve also reiterated calls for patrons to be cautious with their digital communications in the coming days.

To combat these risks, any club-goers in NSW or elsewhere in Australia should take stock of their digital security hygiene immediately. This means: 

  • updating passwords
  • enabling two-factor authentication
  • being vigilant when intercepting calls, messages or emails, even if the sender looks familiar
Lone figure standing in crowd
Check to see if your details have been exposed
If your details have been caught up in a data breach, you – and your business – could be at higher risk of cybercrime or fraud. Use our free email checker to see if your details may be exposed.

Related articles

Cyber crime

Where does cybercrime come from?

Where does cybercrime originate? A private investigator, along with a world-first study into cybercrime origins, reveals who is behind common types of cyber attacks.

Read more

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.