Home » Thousands at risk in major data breach

Thousands at risk in major data breach

Cybercrime Squad detectives have arrested a 46-year old man at a property in Fairfield West in relation to a mass data breach in NSW involving about one million people.

Detectives raided the property on Thursday afternoon and have taken the man to Fairfield Police Station where he is expected to be charged with blackmail.

People of “prominence” are among victims who had their personal details compromised in a data breach that has impacted about one million people who visited specific clubs in NSW.

Cybercrime Squad detectives have been investigating an alleged data breach that threatens to expose the personal details of more than one million people.

Police officers attached to State Crime Command’s Cybercrime Squad were alerted to a website which had published the personal information of patrons who signed into specific clubs in NSW using their drivers’ licences at specific premises across NSW.

That data breach is now being investigated under Strike Force Division, which aims to uncover how the data breach occurred and which, if any, criminal offences are connected to the incident.

State Crime Command’s Serious Crime Directorate detective chief superintendent Grant Taylor said police were engaging with some people who had been affected by the breach.

“There is no doubt there are individuals of some prominence in that total set of people’s names who have been put forward, I won’t go into specifics about individual people, but we are engaging people we need to engage,” he said.

“We do not know the details of all one million people at this stage, I would wait until you are advised that you are in fact a person who has been identified as being on that website.”

Mr Taylor said personal information of people were captured by certain NSW clubs as part of their membership or entry into those premises.

“The Cybercrime Squad is looking into that data breach and any criminal offences that are connected to that breach,” he said.

“It could relate to up to one million patrons who have entered those clubs … or information relevant to their driver’s licences details or membership details.

“Portions of their driver’s licence, not necessarily the totality of the driver’s licence, were made accessible by a website that we believe was established by the perpetrators of this data breach.

“That internet site was established a number of days ago.”

Mr Taylor said police were working with partners in Australia and overseas to take the website down and to stifle the ability for information to be released into the community of people who been to those clubs.

“We hope to see that website shut down very soon but at the moment it is very much limited to set data and not the totality that was able to be looked at earlier in the last 24 hours,” he said.

Strike Force Division is investigating the offences of blackmail and possession of data or personal information for criminal purposes.

“We don’t believe it is a hack or attack on that site but a breach of a third party provider in relation to their ability to obtain that information and release it unlawfully,” Mr Taylor said.

Commander of the Cybercrime Squad, Detective Acting Superintendent Gillian Lister, said this breach should act as a remind for people to check their personal cyber security.

“Now is the optimal time to make sure your cyber hygiene is good; you have strong passwords and are using two-factor authentication where possible,” Ms Lister said.

“If you think your details may have been compromised, use extra caution when reviewing emails or texts and never click on a suspicious or unfamiliar link.

“Always make sure to report incidents of cybercrime through the Australian Cyber Security Centre or Scamwatch.”

Australian-based tech company OutABox supplies gaming and hospitality products used by some Clubs NSW venues have been involved in a data breach after a team of offshore developers claim they have not been paid for work they completed over a year ago.

A website called haveibeenoutaboxed.com claims the drivers licences of more than one million people who visited pubs and clubs across Australia, Asia and the US have been compromised.

It includes signatures, club membership data, home address, birthday, phone number, club visit timestamps, slot machine usage, however at this stage most of the identifying information has been redacted.

A statement on the website claims developers were given access into back-end systems at gaming venues and instructed to backup the data into the cloud.

A search bar on the website allows people to search their name to determine if their data has been compromised.

A ClubsNSW spokesperson said they are “deeply concerned” about the security of patron data that may have been compromised in the OutABox breach.

“While limited information is currently known, we understand that some personal information of patrons of the clubs that use this IT provider may have been compromised,” the spokesperson said.

It is understood the software that was impacted was commonly used during the Covid-19 pandemic to sign-in patrons.

Clubs NSW are urging club patrons to take extra caution in the coming days when reviewing emails or texts to avoid being targeted by security threats.

“In the interim, club patrons are advised to take extra caution when reviewing emails or texts and to avoid clicking on any suspicious or unfamiliar links,” the spokesperson said.

“The clubs concerned are working towards notifying all impacted patrons.

“ClubsNSW have met with all impacted clubs and are providing whatever support we can, noting again that the incident relates to a third-party provider.”

OutABox have contacted the appropriate authorities and the NSW government has also been advised.

A list of 16 clubs, many that fall under the ClubsNSW banner, have been named on the website. Hospitality group Merivale has also been named.

The following venues have been named on the website:

  • Breakers Country Club in Wamberal
  • Bulahdelah Bowling Club
  • Central Coast Leagues Club in Gosford
  • Mex. Club in Mayfield
  • City of Sydney RSL
  • East Cessnock Bowling Club
  • Fairfield RSL
  • Gwandalan Bowling Club
  • Halekulani Bowling Club in Budgewoi
  • Ingleburn RSL Club
  • Club Old Bar
  • Club Terrigal
  • West Tradies in Dharruk
  • The Diggers Club
  • Hornsby RSL Club
  • Merivale
  • The Tradies Dickson
  • Erindale Vikings

OutABox said they have become aware of a “potential breach of data” and have notified the relevant authorities.

“Outabox has become aware of a potential breach of data by an unauthorised third party from a sign-in system used by our clients,” the company said in a statement on their website.

“We are working as a priority to determine the facts around this incident, have notified the relevant authorities and are investigating in co-operation with law enforcement.”

They said an active police investigation is underway and more details will provided as they become available.

“We understand this news may cause concern to our staff, clients and their customers, and we thank them for their support and patience as we work to resolve this as swiftly as possible,” the statement said.

2GB radio host Ben Fordham said the breach was “causing a lot of worry in the NSW parliament” with some politicians reportedly caught up in the breach.

“Politicians have started to put their names in the website,” Fordham said on Wednesday.

“It’s got details crossed out but enough to know ‘they’ve got my details.”

It is understood Clubs NSW called an emergency meeting on Wednesday night.

They have been contacted for comment.