OutABox

Summary

OutABox, an IT service provider operating front-of-venue sign-in systems for NSW hospitality venues, suffered a data breach affecting over 1 million patrons of pubs and clubs across NSW and the ACT. On May 2, 2024, NSW Police arrested a 46-year-old man from Fairfield West and charged him with blackmail in connection with the breach. The incident exposed driver's license details, signatures, and personal information collected through sign-in systems at 18 identified venues and unspecified Merivale locations.

What Happened

OutABox provides front-of-venue sign-in technology used by pubs, clubs, and RSLs across NSW and the ACT for security and regulatory compliance purposes. In late April 2024, the company's systems were compromised, leading to unauthorized access to patron data collected across multiple venues.

Venues were first notified of the breach on April 29, 2024 at 7:00 PM. An anonymously published leak site subsequently claimed to have obtained records from OutABox containing driver's licenses and personal information of over 1 million people who had visited affected venues.

On May 2, 2024, NSW Police Strike Force detectives executed a search warrant in Fairfield West and arrested a 46-year-old man. He was taken to Fairfield Police Station and charged with "demand with menaces intend obtain gain/cause loss" (blackmail). The suspect was granted conditional bail to appear at Fairfield Local Court on June 12, 2024.

The breach affected 18 confirmed venues plus unspecified Merivale hospitality locations:

• Breakers Country Club (Wamberal)
• Bulahdelah Bowling Club
• Central Coast Leagues Club (Gosford)
• City of Sydney RSL
• Club Old Bar
• Club Terrigal
• East Cessnock Bowling Club
• Erindale Vikings
• Fairfield RSL
• Gwandalan Bowling Club
• Halekulani Bowling Club (Budgewoi)
• Hornsby RSL
• Ingleburn RSL Club
• Mex Club (Mayfield)
• The Diggers Club
• The Tradies Dickson
• West Tradies (Dharruk)
• Merivale venues (unspecified locations)

Impact on Individuals

The breach exposed highly sensitive personal identification information of over 1 million patrons including:

• Driver's license numbers and full license details
• Full names, dates of birth, and physical addresses
• Phone numbers and email addresses
• Handwritten signatures
• Club membership information
• Venue visit timestamps and dates
• In some cases, slot machine usage data

The combination of driver's license details with signatures is particularly serious, as it provides criminals with the components needed to forge identity documents. Driver's licenses are primary identity documents in Australia, used for everything from banking to government services, and cannot be easily changed like passwords or credit cards.

The exposure of visit timestamps and venue attendance patterns could enable:

• Targeted burglary when individuals are known to be away from home
• Social engineering attacks using knowledge of club memberships and visitation patterns
• Stalking or harassment based on predictable venue attendance

Affected individuals were advised to monitor credit files, enable additional identity verification with government agencies, and remain alert for phishing attempts or identity theft attempts using their compromised information.

Organisational Response

OutABox notified the Office of the Australian Information Commissioner (OAIC) as required under the Notifiable Data Breaches scheme. The Australian Signals Directorate's Australian Cyber Security Centre (ACSC) provided technical advice and assistance to OutABox during the incident response.

NSW Police Force and Australian Federal Police launched a criminal investigation, resulting in the arrest and charging of a 46-year-old man with blackmail offenses. The case remains active with ongoing legal proceedings.

The NSW Government established ID Support NSW to provide free assistance to affected individuals, including:

• Identity monitoring services
• Guidance on protecting against identity theft
• Support for obtaining replacement identity documents
• Credit monitoring assistance

OutABox stated that due to active police investigations, it was restricted in how much additional information could be shared publicly. The company committed to providing further details once able to do so without compromising the criminal investigation.

The incident highlighted significant supply chain security risks in the hospitality industry, where third-party technology providers collect and store sensitive patron information across multiple venues. A single breach of the service provider exposed data from 18+ venues, affecting over a million individuals.

The criminal charges against the arrested individual suggest the breach may have involved insider access or blackmail attempts rather than external hacking, though full details remain subject to ongoing legal proceedings.

[extra.impact] affected_individuals = 1000000 individuals_note = "" data_volume_gb = 0 record_count = 0 financial_cost_total = 0 ransom_demanded = 0 ransom_paid = 0 estimated_remediation = 0 downtime_hours = 0 downtime_note = "" +++