NSW club patrons advised to replace ID documents after leak of more than a million records
Personal data including names and addresses were accessed during a data breach involving Outabox, with ClubsNSW saying 16 clubs and several pubs impacted. Photograph: Jessica Hromas/The Guardian
Hundreds of thousands of residents in New South Wales and the ACT are being urged to replace their ID documents after more than a million records of club and pub patrons were leaked in a data breach.
Personal data including names and addresses were accessed as part of the incident involving Outabox, an IT provider used by dozens of hospitality venues across the state including hospitality giant Merivale.
A website that purported to allow people to search names in the leaked database, and returned redacted information about its contents, claimed that it contains 1,0505,169 records.
Officers from the NSW police state crime command’s cybercrime squad were investigating under Strike Force Division how the data breach occurred and if any criminal offences were connected to it.
Detectives are working with federal agencies “to contain the breach and have the site taken offline as a matter of priority” after being made aware of it on Wednesday, a police spokesperson said.
Cybercrime squad commander, detective acting superintendent, Gillian Lister, said people should use this as a chance to “make sure your cyber hygiene is good” including checking password strength and enabling two-factor authentication where possible.
“If you think your details may have been compromised, use extra caution when reviewing emails or texts and never click on a suspicious or unfamiliar link,” she said.
ClubsNSW said the “cybersecurity incident” had impacted 16 clubs and several pubs.
“We understand that some personal information of patrons of the clubs that use this IT provider may have been compromised,” a spokesperson said.
“The clubs concerned are working towards notifying all impacted patrons.”
A spokesperson for Outabox said it was “aware of a potential breach of data by an unauthorised third party from a sign-in system used by our clients”.
“We are working as a priority to determine the facts around this incident, have notified the relevant authorities and are investigating in cooperation with law enforcement,” the spokesperson said.
“We understand this news may cause concern to our staff, clients and their customers, and we thank them for their support and patience as we work to resolve this as swiftly as possible.”
Gaming minister, David Harris, has urged venues to notify patrons whose information may have been affected.
On Thursday morning, entertainment and hospitality giant Merivale said it did not believe their customers had been impacted.
“We are taking this matter seriously and do not believe that our customer data has been compromised in this third-party data breach, based on the information available to us at this time,” a company spokesperson said.
Australian cybersecurity expert Troy Hunt said it was not clear if photos and signatures captured by the system upon sign-in were exposed in every case.
“Drivers licenses, however, is Optus redux: they all need replacing now,” he posted on X, formerly known as Twitter.
“Signatures and photos are obviously immutable (by any practical measure) and combined with the other personal identities (name, phone, address), are *very* useful for criminals.”
The NSW government is also investigating.
“The NSW Government is aware of an incident involving unauthorised access to customer information held by an IT provider which is used by hospitality venues across both NSW and the ACT,” an ID Support NSW spokesperson said.
“We are concerned about the potential impact on individuals and urge clubs and hospitality venues to notify patrons whose information is affected.”
One club caught up in the breach told members it was deeply concerned about the security of the data.
“We have met with ClubsNSW and they are providing whatever support they can, noting again that the incident relates to an external provider,” Club Terrigal said.