Clubs peak body 'deeply concerned' after major data breach

Candlelight vigil held in Melbourne for victims of domestic violence

ClubsNSW says it is “deeply concerned” after discovering a third-party data breach that could expose the details of Australians who have visited a range of clubs and RSLs in NSW, including prominent politicians.

Developers subcontracted by the company that provides sign-in systems for the clubs said they had the option of publishing details of more than a million visitors online, prompting a NSW Police investigation.

“ClubsNSW has been made aware of a cybersecurity incident involving a third-party IT provider commonly used by hospitality venues, including fewer than 20 clubs,” the peak body said in a statement this morning.

“While limited information is currently known, we understand that some personal information of patrons of the clubs that use this IT provider may have been compromised.

“The clubs concerned are working towards notifying all impacted patrons.”

ClubsNSW said the “appropriate authorities” had been notified and affected clubs had been offered support.

They cautioned club patrons to be particularly cautious of unfamiliar emails or texts, especially those involving links to websites.

2GB Breakfast host Ben Fordham told the station the unfolding breach was “causing a lot of worry in the NSW parliament”.

He said the apparent leak involved the data scanned when people signed into the clubs, including facial recognition, driver licence details, signatures and addresses.

“There is a company that has allegedly not paid some software developers in the Philippines,” Fordham said.

“Those software developers have now put up their own website, and they’ve essentially said ‘we were given access to all of these systems, our bills haven’t been paid in a year and a half and we’re not happy about it’.”

Fordham warned it was unclear whether searching the website for personal details was safe.

“Politicians have started to put their names in the website,” Fordham said.

“It’s got details crossed out but enough to know ‘they’ve got my details.”

“What they’re essentially doing is saying look, if you don’t pay our bill, well you can only allow your imagination to work out what’s going to happen next.”

https://omny.fm/shows/ben-fordham-full-show/exclusive-major-data-breach-involving-prominent-po/embed

West Tradies in Mt Druitt, City of Sydney RSL and Fairfield RSL are among those involved.

The website claiming to expose the data carries a statement from the people behind it alleging they were “cut off” and not paid.

It says it has data including “facial recognition biometric, driver licence scan, signature, club membership data, address, birthday, phone number, club visit timestamps, slot machine usage”.

The site claims the system provider was hired to “build a suite of software systems” for casinos and clubs in Asia, Australia and the US.

“The developers were given access into back-end systems at these gaming venues and were given responsibility to maintain the systems and instructed to backup the data into the cloud,” it says.

“Developers were given access to raw data without any oversight …

“Then [the company] suddenly cut the developers off and refused to pay for a year and a half of work.”

Clubs NSW is understood to have had an emergency meeting.

Fordham said bar giant Merivale was also affected.

NSW Police said officers from the State Crime Command’s Cybercrime Squad were “investigating a potential data breach”.

Clubs NSW, Merivale and the sign-in system provider have been contacted for comment.