NewsBite

Updated

More than a million visitors to some of NSW’s top pubs and clubs impacted by data breach

NSW Police on Thursday afternoon arrested a 46-year-old man in Fairfield West over his alleged blackmail campaign against OutABox.

A data breach has impacted patrons of some of NSW’s most popular venues.
A data breach has impacted patrons of some of NSW’s most popular venues.

NSW Police on Thursday afternoon arrested a 46-year-old man in Fairfield West over his alleged blackmail campaign against OutABox.

Strike Force Division detectives carried out a search warrant at the man’s home before taking him to Fairfield Police Station where he is expected to be charged with blackmail.

Cybercrime Squad boss Gillian Lister said the breach was a reminder for people to check their personal cyber security.

“Now is the optimal time to make sure your cyber hygiene is good; you have strong passwords and are using two-factor authentication where possible,” Detective Acting Superintendent Lister said.

“If you think your details may have been compromised, use extra caution when reviewing emails or texts and never click on a suspicious or unfamiliar link.

“Always make sure to report incidents of cybercrime through the Australian Cyber Security Centre or Scamwatch.”

NSW Police are working to have a website publishing the data of one million people who visited popular pubs and clubs across the state taken down as part of an investigation into those behind or responsible for the data breach.

Addresses, signatures, dates of birth, phone numbers and even driver’s licence photographs collected by Australian-based tech company OutABox – who create gaming and hospitality products – are believed to have been shared with a third-party overseas contractor.

It has led to some of the crucial personal data being posted online at haveibeenoutaboxed.com in a major cyber leak.

Police sources said they had been made aware of the leak late on Tuesday evening after OutABox reported the breach to the federal government, with a priority for detectives in the immediate term to have the website taken down.

“Firstly, we are working to contain the breach and also attempting to take down the website,” the source said.

“Obviously we are also working to identify those behind or responsible for the breach and to fully investigate any criminal offences that may have been committed.”

Several high-profile political figures are among those believed to have had their details compromised.

In a statement, Outabox said it “is aware and responding to a cyber incident potentially involving some personal information’’.

“We have been in communication with a group of our clients to inform them and outline our strategy to respond.

“Due to the ongoing Australian police investigation, we are not able to provide further information at this time.

“We are aware of a malicious website carrying a number of false statements designed to harm our business and defame our senior staff. We believe this is linked and urge people not to repeat false and reputationally damaging misinformation.’’

Whistleblowers claim those overseas tech developers were given “free rein over sensitive consumer information” by OutABox.
Whistleblowers claim those overseas tech developers were given “free rein over sensitive consumer information” by OutABox.

A website called haveibeenoutaboxed.com has been created, in which a search option allows those reportedly affected to look up their names. The data leak surfaced on Wednesday when text messages were sent to some individuals believed to have been impacted.

The Daily Telegraph understands that some of those businesses affected include a total of 17 pubs and RSL clubs in NSW that fall under the ClubsNSW banner.

Merivale venues have also been dragged into the data breach.

However, billionaire Merivale hospitality empire chief Justin Hemmes said the exposure to Merivale is limited, if at all, due to their venues using different data systems.

An emergency meeting was held between ClubsNSW and those venues on Wednesday, while the NSW Government was also made aware of the data breach.

“ClubsNSW has been made aware of a cybersecurity incident involving a third-party IT provider commonly used by hospitality venues, including fewer than 20 clubs,” a spokesperson said.

“While limited information is currently known, we understand that some personal information of patrons of the clubs that use this IT provider may have been compromised.

“The clubs concerned are working towards notifying all impacted patrons. We can advise that the appropriate authorities have been notified by the third-party IT provider and the NSW Government has also been advised.

“ClubsNSW is deeply concerned about the security of the data that is the subject of the breach. We have today met with all impacted clubs and are providing whatever support we can. We wish to assure club members that additional updates will be provided once further details are confirmed.

“In the interim, club patrons are advised to take extra caution when reviewing emails or texts (or opening links).’’

In a statement, a NSW Police spokesperson confirmed the Cybercrime Squad was investigating the incident.

“Officers from the State Crime Command’s Cybercrime Squad are investigating a potential data breach,” the spokesperson said.

“As the investigation is ongoing, no further information is available at this time.”

‘BE VERY VIGILANT’: TECH EXPERT WEIGHS IN

People affected by the data leak at pubs and clubs across NSW are being urged to be extra careful when opening texts and emails, until the cyber incident is resolved.

While many questions remain unanswered about the full extent of the data breach involving tech company OutABox, there are a few key moves the more than one million individuals reportedly affected can make to protect themselves.

In a statement, ClubsNSW whose banner many of the pubs and RSL’s fall under, said those impacted should keep a close eye on their online communications and avoid clicking on any “suspicious or unfamiliar links”.

“ClubsNSW is deeply concerned about the security of the data that is the subject of the breach. We have today met with all impacted clubs and are providing whatever support we can, noting again that the incident relates to a third-party provider,” a spokesperson for ClubsNSW said.

“We wish to assure club members that additional updates will be provided once further details are confirmed. In the interim, club patrons are advised to take extra caution when reviewing emails or texts and to avoid clicking on any suspicious or unfamiliar links.”

Tech expert Trevor Long weighed in on the breach. Picture: Supplied
Tech expert Trevor Long weighed in on the breach. Picture: Supplied

Meanwhile, a tech expert has warned millions of people to be on the lookout, saying millions of people could be impacted by potential scams as a result of the data breach.

Trevor Long, from EFTM, warned that millions of people will be affected by the data breach and anyone who signed into one of the listed clubs is at risk.

“This is up to a million people in NSW who’ve signed into a club using their driver’s licence, which is essentially what you have to do these days to prove who you are and whether you’re a member or a guest or not,” he said on the Today show.

Mr Long said a company overseas did the programming for the venues, meaning they had access to all of the personal data.

“And so what’s happened is as a company that makes these computers and they use a company allegedly overseas that did the programming and things for it,” he said.

“But during the time they had that work going on, that company had access to all the data.

“Now it appears there’s some disagreement between these two organisations. There’s a police investigation into that.”

People are being warned to be wary of scammers.
People are being warned to be wary of scammers.

The tech expert underlined the dangers of scammers during this breach.

“There were scammers out there, so today and for the next few weeks we’ve got to be very vigilant about any contact you get from a club or a pub anywhere you signed into suggesting that you need to take action,” he said.

“Those clubs are reaching out to people and that’s great, but you need to just don’t act upon those emails other than to say I’m aware of it.”

Mr Long revealed that he is affected by the breach.

“I’m a member of the Hornsby RSL and I definitely scanned in and there my name came up and basically what it showed was my name and my suburb, the rest of the details got those hashes,” he said.

“That’s their way of saying, I know your details, I’m not going to show them yet, but if this goes sour, they’ll release that data and that data will be available on the dark web stuff we’re talking about here.

“It does feel like some sort of ransom here. But until we know what this police investigation is and the cyber investigation, this could be an interesting few days.”

Do you know more? Message 0481 056 618 or email tips@dailytelegraph.com.au

Add your comment to this story

To join the conversation, please Don't have an account? Register

Join the conversation, you are commenting as Logout

Original URL: https://www.dailytelegraph.com.au/news/nsw/more-than-a-million-visitors-to-some-of-nsws-top-pubs-and-clubs-impacted-by-data-breach/news-story/1f0796ca4257730851c87db6fc4859bd