A 46-year-old Sydney man has been arrested and charged with blackmail in relation to the ClubsNSW data breach that potentially exposed the personal information of more than 1 million people.
NSW Police cybercrime detectives launched an investigation last week after a “cybersecurity incident involving a third-party IT provider” saw the personal data of more than 1 million patrons of clubs and pubs in NSW and the ACT compromised.
The data relates to driver licences used to sign-in at specific premises in NSW and the ACT.
NSW Police’s Cybercrime division conducted the investigation in partnership with state and federal agencies under Strike Force Division.
The investigation didn’t take long, with NSW Police executing a search warrant in Fairfield West on Thursday afternoon and arresting the Sydney man.
The following morning, the man was charged with blackmail, referred to as ‘demand with menace intending to obtain gain or cause loss’.
He was granted conditional bail and will appear before the Fairfield Local Court on 12 June.
NSW Police Detective Chief Superintendent Grant Taylor confirmed that the alleged perpetrators created a website at least a few days before the breach was revealed publicly.
“We have been working with our state and federal partners and also international partners in order to take down that website,” Taylor said.
“And at the very least to disrupt that website and to stifle the ability for information of members of the public who have utilised those clubs and their data to be released to the wider community.”
A group claiming to be offshore developers subcontracted by Outabox, an Australian IT firm providing sign-in and licence scanning technologies to venues in NSW and the ACT, posted on the website alleging to have access to the personal details of more than 1 million people.
The group claimed this data included facial recognition biometrics, driver licence scans, signatures, addresses, dates of birth, and slot machine usage, and included a search function on the website to see if an individual was included.
The group behind the website claimed they had not been paid for their work by the company. The claims on the website have not been verified and Outabox said it contains a “number of false statements designed to harm our business and defame our senior staff”.
“We are restricted by how much information we are able to provide at this stage given it is currently under active police investigation,” an Outabox statement said.
“We will provide further details as soon as we are able to.”
The search function on the website that initially claimed to have the data of more than 1 million people now says it has zero records.
Over the weekend, the site was updated to say that: “no private data was actually disclosed publicly and no hacking occurred. All records have already been removed. We thank you for listening, the whistle has been heard”.
This statement has now been removed from the site and replaced by a link to the White Pages.
Time for cyber hygiene
NSW Police said that “now is the optimal time to make sure your cyber hygiene is good; you have strong passwords and are using two-factor authentication where possible”.
“If you think your details may have been compromised, use extra caution when reviewing emails or texts and never click on a suspicious or unfamiliar link,” Taylor said.
NSW Gaming minister David Harris said he was made aware of the data breach on Tuesday last week.
“We know that this is an alleged data breach of a third-party vendor, so it wasn't a hack,” Harris said on Thursday.
“There was a high-level meeting yesterday and the authorities, cybersecurity and police organisations are currently investigating that and when we get authorisation we can give more information.”
