Updated: 3 May
Hornsby RSL Club has alerted its members to a significant data security incident involving a third-party technology provider responsible for the club's sign-in procedures. The breach was brought to the club's attention on the evening of April 29, 2024.
The service provider, identified by ABC as Outabox, is believed to have compromised the data of over one million New South Wales residents through at least 16 licensed clubs. High-profile individuals, including Premier Chris Minns and Police Minister Yasmin Catley, are among those affected.
NSW Gaming Minister David Harris was informed of the breach on the following evening. He clarified that the incident involved a third-party vendor and was not a direct hack.
Harris also noted that the breach extends beyond club members, potentially affecting any visitors to the implicated venues.
"We know that this is an alleged data breach of a third-party vendor, so it wasn't a hack," he said.
"There was a high-level meeting yesterday and the authorities, cybersecurity and police organisations are currently investigating that and when we get authorisation we can give more information."
Mr Harris said patrons did not have to be a member of a club to be potentially impacted.
"If you had visited those venues then potentially you would be involved in this," he said.
The 16 clubs announced as being affected are:
- Breakers Country Club
- Bulahdelah Bowling Club
- Central Coast Leagues Club
- Mex Club Mayfield
- City of Sydney RSL
- East Cessnock Bowling Club
- Fairfield RSL Club
- Gwandalan Bowling Club
- Halekulani Bowling Club
- Hornsby RSL Club
- Ingleburn RSL Club
- Club Old Bar
- Club Terrigal
- The Tradies Dickson
- Erindale Vikings
Troy Hunt, creator of the haveibeenpwned.com, told the ABC "The Outabox technology used by clubs scans patrons' faces and matches them with their licence details.
Mr Hunt said people whose data has appeared on the site may need to replace their drivers licences.
"There are physical addresses, there are date of birth, there are names. That's not good," he said.
"It's a little bit Optus all over again. Once drivers' licences have been taken by unauthorised parties … it is something that almost certainty we're going to see recommended to be replaced."
Currently, the specifics of the member and customer data compromised have not been disclosed. The Australian Cyber Security Centre, NSW Cyber Crime Detectives, ClubsNSW, the affected clubs, and Outabox are all actively investigating the breach. The situation remains under close scrutiny as the investigation progresses.
The Post notes that the Outabox website is currently unavailable/
The club has stated they will update members as the investigation progresses.
The Post will keep the community updated as we receive more information. As this is a Cyber Security Breach, The Post asks the community to be vigilant, and stay alert to any suspicious activity or communications especially any communications purporting to come from any of the affected clubs.
A man has been charged with blackmail by Cybercrime Squad detectives investigating an alleged data breach threatening to share the personal details of over one million people.
UPDATE:
On Wednesday 1 May 2024, officers attached to State Crime Command’s Cybercrime Squad were alerted to a website which had published the personal information of patrons who signed-in using their drivers’ licences at specific premises across NSW.
Cybercrime Squad detectives worked closely with Federal and State agencies to contain the breach and commenced an investigation under Strike Force Division.
Following extensive inquiries, about 4.20pm yesterday (Thursday 2 May 2024), strike force detectives executed a search warrant in Fairfield West where they arrested a 46-year-old man.
The man was taken to Fairfield Police Station and charged with demand with menaces intend obtain gain/cause loss.
He was granted conditional bail to appear at Fairfield Local Court on Friday 12 June 2024.
