Clubs NSW

Summary

More than one million Australian ID records were exposed in a data breach affecting patrons of pubs and clubs across NSW, ACT, and Victoria in May 2024. Outabox, the IT services provider for these venues, confirmed unauthorized third-party access to their sign-in system.

Attack Vector

A group of unknown individuals claiming to be offshore developers subcontracted by Outabox allegedly accessed the sign-in system and published personal data on a website. NSW Police were alerted on May 1, 2024 to a website where personal information of club patrons from 17 venues had been published. The breach involved insider access or compromised contractor credentials.

Consumer Impact

The exposed data included facial recognition biometrics, driver license scans, signatures, addresses, dates of birth, and slot machine usage information from 19 pubs and clubs. Affected venues include RSL clubs in Sydney, Fairfield, Hornsby, Ingleburn, Wamberal, and various bowling clubs across NSW and ACT locations. The inclusion of biometric data creates permanent identity theft risk as facial recognition data cannot be changed like passwords.

Response

NSW Police established Strikeforce Division to investigate the breach. A 46-year-old was arrested in Fairfield West on May 2 by Cybercrime Squad detectives and charged with blackmail after allegedly threatening to share the personal details of over one million people. The rapid law enforcement response within 24 hours of the public disclosure demonstrates the severity with which authorities treated this incident.

Legal Proceedings

[[extra.legal]] type = "Criminal" status = "Open" firm = "NSW Police" url = "https://australiancybersecuritymagazine.com.au/nsw-police-make-arrest-in-clubs-nsw-data-breach/"