Outabox, a third-party IT provider used by clubs including for their front-of-venue sign-in systems, has potentially suffered a major data breach.
“Outabox has become aware of a potential breach of data by an unauthorised third party from a sign in system used by our clients,” the company wrote in a statement.
“We are working as a priority to determine the facts around this incident, have notified the relevant authorities and are investigating in cooperation with law enforcement.”
While initial reports suggested the cache of data was being held as blackmail by disgruntled developers overseas, NSW Police executed a search warrant on Thursday afternoon 2 May in Sydney’s west, arresting a 46-year-old man in Fairfield West.
Cybercrime Squad detectives worked closely with Federal and State agencies to contain the breach and commenced an investigation under Strike Force Division.
The man was taken to Fairfield Police Station and charged with demand with menaces intend obtain gain/cause loss. He was granted conditional bail to appear at Fairfield Local Court on Friday 12 June 2024.
According to a website called haveibeenoutaboxed.com, which appears to have been set up by someone with knowledge of the attack, the venues that have been impacted include:
- Breakers Country Club
- Bulahdelah Bowling Club
- Central Coast Leagues Club
- Mex. Club in Mayfield
- City of Sydney RSL
- The Diggers Club
- East Cessnock Bowling Club
- Fairfield RSL
- Gwandalan Bowling Club
- Halekulani Bowling Club
- Hornsby RSL Club
- Ingleburn RSL Club
- Club Old Bar
- Club Terrigal
- The Tradies Dickson
- West Tradies
- Erindale Vikings
East Maitland Bowling Club has also been listed, but the club has never engaged with Outabox.
Similarly hospitality group Merivale has also been named, but a spokesperson for the group said it does not look like its venues and their customers have been affected.
“We are taking this matter seriously and do not believe that our customer data has been compromised in this third-party data breach, based on the information available to us at this time.”
A ClubsNSW spokesperson said it is “deeply concerned” about the data breach.
“We have today met with all impacted clubs and are providing whatever support we can, noting again that the incident relates to a third-party provider,” the spokesperson said.
“We wish to assure club members that additional updates will be provided once further details are confirmed.”
The site also claims that about a million customers who have visited these venues since 2020 are likely to have had their personal details compromised. This includes facial recognition, licences, signatures, and personal information such as phone numbers and addresses. It is understood, however, many of these customer details are duplicates.
The ClubsNSW spokesperson said the clubs concerned are working to notify all impacted patrons.
“In the interim, club patrons are advised to take extra caution when reviewing emails or texts and to avoid clicking on any suspicious or unfamiliar links.”
A spokesperson for ID Support NSW has also expressed their concern about the potential impact this will have on individuals, stating: “ID Support NSW is available to help those affected reduce their risk of identity theft following this incident.”
NSW government agencies are working with Commonwealth and ACT Government agencies as part of the response, the ID Support NSW spokesperson added.
In notifying its members and guests, West Tradies has explained it engaged the external IT provider for various software and equipment, including ID scanning software and gaming system software, and that this company is claiming it is the target of “cyber extortion”. West Tradies did not name Outabox as the IT provider involved.
“This external provider supplied hardware and software services to assist us with our Club sign-in process from COVID-19 times through to 4 July 2023. At this point the hardware was replaced, however the software interface remained active until 27 March 2024,” said the club.
The software interface allowed the club to extract and record guest information, and allowed the club to know when patrons were visiting.
In NSW, it is a requirement for registered clubs to collect personal information from patrons on entry under the Registered Clubs Act 1976.
The Commonwealth Privacy Act 1988 governs the collection, use, storage and protection of data by organisations covered by the Privacy Act, including organisations with an annual turnover of more than $3 million.
West Tradies said it was unaware Outabox had disclosed any data it held to any third parties or that it had been disclosed overseas.
“The club did not authorise, permit, or know that the external IT provider had provided any information obtained from the club to third parties. The club is extremely disappointed that this has occurred given that it takes the security and privacy of its patrons very seriously.”
West Tradies CEO Douglas Kirkham has expressed profound disappointment.
“You have my word that we are doing everything possible to get to the bottom of how this happened and to protect your privacy both now and in the future,” he said.
“To this end we have engaged independent legal advisers to assist us to investigate all aspects of this matter and we will do whatever is necessary to protect you and our club both now and in the future.
“We are also reviewing our arrangements with our current service providers to ensure that they cannot, without the Club’s consent, disclose any personal information to a third party, and to ensure that they have appropriate steps in place to protect any personal information which they hold, or can access, on behalf of the Club.”
Outabox said given active police investigations are ongoing, it is restricted by how much further information can be shared.
“We will provide further details as soon as we are able to,” the company said.
“We understand this news may cause concern to our staff, clients and their customers, and we thank them for their support and patience as we work to resolve this as swiftly as possible.”
Updated 3.51pm AEST, 2 May 2024: Additional comments added.
Updated 9:15am 3 May 2024: Details of arrest added.