Cybercrime detectives investigating potential data breach involving more than 1 million NSW clubs customer records

Cybercrime detectives investigating potential data breach involving more than 1 million NSW clubs customer records
  • PublishedMay 2, 2024

An unauthorised website claims personal information of more than 1 million customer records from at least 16 licensed NSW clubs have been released online in a potential data breach.

Cybercrime detectives are investigating the reported breach with the website claiming to have records and personal information of senior government figures, including Premier Chris Minns, Deputy Premier Prue Car and Police Minister Yasmin Catley.

IT provider Outabox said in a statement it had become aware of the potential data breach of a sign-in system used by its clients by an “unauthorised” third party.

“We are working as a priority to establish the facts around this incident, have notified the relevant authorities and are investigating in cooperation with law enforcement,” Outabox said in a statement.

“We are restricted by how much information we are able to provide at this stage given it is currently under active police investigation.”

It is a legal requirement in NSW for licensed clubs to collect personal information from patrons on entry, under the state’s registered clubs legislation.

The information is required to be stored securely under federal privacy laws.

Government agency ID Support NSW confirmed 16 licensed clubs across NSW have been implicated in the data breach:

  • Breakers Country Club
  • Bulahdelah Bowling Club
  • Central Coast Leagues Club
  • Mex Club Mayfield
  • City of Sydney RSL
  • East Cessnock Bowling Club
  • Fairfield RSL Club
  • Gwandalan Bowling Club
  • Halekulani Bowling Club
  • Hornsby RSL Club
  • Ingleburn RSL Club
  • Club Old Bar
  • Club Terrigal
  • The Tradies Dickson
  • Erindale Vikings

Merivale operates more than 80 venues across NSW and Victoria and was identified by ID Support NSW as among those in affected but said in a statement it was not involved.

“We are taking this matter seriously and do not believe that our customer data has been compromised in this third-party data breach, based on the information available to us at this time,” a spokesperson said.

‘It’s a little bit Optus all over again’

Gaming Minister David Harris said the government and police first became aware of the potential breach on Tuesday.

“We know that this is an alleged data breach of a third-party vendor, so it wasn’t a hack,” he said.

“There was a high-level meeting yesterday and the authorities, cybersecurity and police organisations are currently investigating that and when we get authorisation we can give more information.”

Mr Harris said patrons did not have to be a member of a club to be potentially impacted.

“If you had visited those venues then potentially you would be involved in this,” he said.

One man who found his data on the website said his name, suburb and year of birth were linked to a club he had attended, but his street name and date and month of birth had been redacted.

Creator of the data breach tracking website, Troy Hunt, said the creators of the website had not released all of the information they had collected.

“I assume the developers of this website have redacted it purely to not make things worse than they already are,” he said.

“Inevitably they do have the entire thing.”

He said the Outabox technology used by clubs scans patrons’ faces and matches them with their licence details.

Mr Hunt said people whose data has appeared on the site may need to replace their drivers’ licences.

“There are physical addresses, there are date of birth, there are names. That’s not good,” he said.

“It’s a little bit Optus all over again. Once drivers licences have been taken by unauthorised parties … it is something that almost certainty we’re going to see recommended to be replaced.”

Cybercrime squad are investigating

ID Support NSW said it would assist customers impacted by the incident.

“We are concerned about the potential impact on individuals and urge clubs and hospitality venues to notify patrons whose information is affected,” it said in a statement.

“ID Support NSW is also available to help those affected reduce their risk of identity theft following this incident.”

NSW Police have confirmed detectives from the state’s cybercrime squad are investigating the potential breach, but said no further information was available as the investigation is ongoing.

ClubsNSW said in a statement that information on the breach is limited.

“The clubs concerned are working towards notifying all impacted patrons,” he said.

“ClubsNSW is deeply concerned about the security of the data that is the subject of the breach. We have today met with all impacted clubs and are providing whatever support we can, noting again that the incident relates to a third-party provider.”

ClubsNSW urged all club members to watch out for scams and avoid clicking on links in suspicious or unknown emails and texts.


Leave a Reply

Your email address will not be published. Required fields are marked *