Offshore developers take ClubsNSW member’s patron data hostage
A group of software developers in the Philippines is understood to be holding personal data of many thousands of NSW club visitors over a dispute.
Alarm bells have been sounded across the nation after a group of offshore developers in Asia took hostage the personal information of Australian patrons from over one million visits to licensed clubs and pubs in NSW and the ACT.
The federal government has called in its highest cyber brass to respond to the incident, which involves 16 ClubsNSW member venues and Merivale restaurants, a group of software developers in the Philippines and a data service called Outabox.
Driver’s licences, patron photos, signatures, home addresses and phone numbers are all being held hostage by the group which claims it has a “trail” of unpaid invoices from over 18 months of work with Outabox.
The group has responded by overnight publishing the names of innocent club and gaming customers on a searchable website in a bid to prove its seriousness about the dispute and that they aren’t afraid to leak the information online.
The site claims it is attempting to “shed light on the darker side of the industry” and cites alleged practices of Outabox as the reason for its behaviour. The website names two people in Australia associated with the business, NSW-based Glenn James and Victoria-based Dalbir Singh, and US counterpart Darren Blinn, who is based in Las Vegas.
“Outabox’s … business practices have … endangered the security and privacy of consumers’ sensitive data,” the website reads. “Despite the developers’ year and a half of work, Outabox callously refused to compensate them, leaving a trail of unpaid invoices and shattered trust in their wake.”
Despite such claims, no failings are suggested on the part of the Outabox service or the three men.
In a statement, Outabox said, “We are aware of a malicious website carrying a number of false statements designed to harm our business and defame our senior staff. We believe this is linked and urge people not to repeat false and reputationally damaging misinformation.’’
“We have been in communication with a group of our clients to inform them and outline our strategy to respond. Due to the ongoing Australian police investigation, we are not able to provide further information at this time.”
The website, called Have I Been Outaboxed, has named the following venues and those caught up in the breach: Breakers Country Club in Wamberal, Bulahdelah Bowling Club, Central Coast Leagues Club in Gosford, City of Sydney RSL, Club Old Bar, Club Terrigal, East Cessnock Bowling Club, Erindale Vikings, Fairfield RSL, Gwandalan Bowling Club, Halekulani Bowling Club in Budgewoi, Hornsby RSL Club, Ingleburn RSL Club, Mex Club in Mayfield, Merivale, The Diggers Club, The Tradies Dickson, and West Tradies in Dharruk.
It’s understood that a number of high profile Australian politicians are among those caught up in the breach.
National Cyber Security Coordinator Lieutenant General Michelle McGuinness said the government was co-ordinating a response with affected venues in NSW and the ACT.
“My team is working directly with Outabox on co-ordinating the response to the incident and on understanding what its impacts are,” she said.
“It is a criminal offence to deal in stolen personal information. The Australian Government strongly discourages people from looking for or accessing the data impacted, as this just feeds into the business model of those seeking to do us harm.”
NSW Police, which is now being assisted by the AFP, deployed its cyber squad to investigate the incident on Tuesday evening.
“Officers from the State Crime Command’s cybercrime squad are investigating a potential data breach. As the investigation is ongoing, no further information is available at this time,” a spokesman told The Australian.
Outabox has not named who it believes is behind the breach but has claimed they were an “unauthorised third party”.
“Outabox has become aware of a potential breach of data by an unauthorised third party from a sign-in system used by our clients. We are working as a priority to determine the facts around this incident, have notified the relevant authorities and are investigating in co-operation with law enforcement,” the company said.
In February this year, Outabox contracted a new development team in Vietnam, a “hand-picked” group of specialists who it said would help the software service expand its gaming industry software across Vietnam and neighbouring regions.
The group behind the website has claimed that the Vietnam team was set up to replace it. “Possibly following the same questionable practices,” its website reads.
A ClubsNSW spokeswoman said none of its own data had been impacted by the breach, and that it had met with representatives of affected member clubs.
“ClubsNSW has been made aware of a cybersecurity incident involving a third-party IT provider commonly used by hospitality venues, including fewer than 20 clubs,” she said.
“While limited information is currently known, we understand that some personal information of patrons of the clubs that use this IT provider may have been compromised. The clubs concerned are working towards notifying all impacted patrons.”
More Coverage
CBA rolls out AI agent for business customers
Commonwealth Bank is introducing an AI agent for tens of thousands of business customers that will handle queries and provide ChatGPT-style responses.
Meet ‘Matilda’ – Australia’s chance to ride the DeepSeek wave
China has shown the world artificial intelligence can be done on the cheap, opening the door for Australia to catapult itself into a new digital Cold War.