Police arrest 46-year-old over ClubsNSW data breach

Pubs and clubs in NSW caught up in major data breach

A 46-year-old man has been arrested after an investigation into the massive breach of ClubsNSW data.

Detectives searched a home in Fairfield West about 4.20pm today, after a data breach exposed the identity of more than 1 million people.

The man was taken to Fairfield Police Station and was expected to be charged with blackmail.

Earlier this afternoon, police said they “were alerted to a website that had published the personal information of patrons who signed in using their drivers’ licences at specific premises across NSW”.

2GB Breakfast host Ben Fordham told the station this morning the breach was “causing a lot of worry in the NSW parliament”.

He said the leak involved the data scanned when people signed into the clubs, including facial recognition, driver licence details, signatures and addresses.

https://omny.fm/shows/ben-fordham-full-show/exclusive-major-data-breach-involving-prominent-po/embed

West Tradies in Mt Druitt, City of Sydney RSL and Fairfield RSL are among up to 15 clubs thought to be affected.

Police earlier said they’d identified “persons of interest” in their investigation into the breach.

“We will investigate a number of different types of offences, including the offence of blackmail under the Crimes Act, and possession of personal information for unlawful purposes,” Detective Chief Superintendent Grant Taylor said.

Taylor said police believed the leak was “a breach of a third party provider in relation to their ability to obtain that information and release it unlawfully”.

Detective Chief Superintendent Grant Taylor

A little over an hour later, cybercrime detectives arrested the 46-year-old man in Sydney’s west.

Police said they were working to contain the data breach and have the site taken offline “as a matter of priority”.

On the risk of senior NSW politicians being exposed in the data breach, Taylor said: “within a million people’s names, no doubt there are individuals of some prominence”.

Anyone who suspects their identity was exposed in the broach was advised to wait to be contacted by authorities for further information.

This morning, ClubsNSW said it was “deeply concerned” after discovering a third-party data breach that could expose the details of Australians who have visited a range of clubs and RSLs in NSW, including prominent politicians.

“ClubsNSW has been made aware of a cybersecurity incident involving a third-party IT provider commonly used by hospitality venues, including fewer than 20 clubs,” the peak body said in a statement.

“The clubs concerned are working towards notifying all impacted patrons.”

The website claiming to expose the data carried a statement from the people behind it alleging they were “cut off” and not paid.

It says it had data including “facial recognition biometric, driver licence scan, signature, club membership data, address, birthday, phone number, club visit timestamps, slot machine usage”.

The site claims the system provider was hired to “build a suite of software systems” for casinos and clubs in Asia, Australia and the US.

“The developers were given access into back-end systems at these gaming venues and were given responsibility to maintain the systems and instructed to backup the data into the cloud,” it says.

“Developers were given access to raw data without any oversight …

“Then [the company] suddenly cut the developers off and refused to pay for a year and a half of work.”

Earlier reports had suggested venues owned by Merivale had been affected in the breach but the hospitality group has denied those claims.

“We are taking this matter seriously and do not believe that our customer data has been compromised in this third-party data breach, based on the information available to us at this time,” a Merivale spokesperson said.

Outabox, the IT provider working with ClubsNSW, said it was “aware and responding to a cyber incident potentially involving some personal information”.

“We have been in communication with a group of our clients to inform them and outline our strategy to respond. Due to the ongoing Australian police investigation, we are not able to provide further information at this time,” a company spokesperson said.

“We are aware of a malicious website carrying a number of false statements designed to harm our business and defame our senior staff. We believe this is linked and urge people not to repeat false and reputationally damaging misinformation.”