NSW police are investigating after the personal information of more than 1 million people who visited pubs and clubs in recent years appeared to have been compromised.

The breach relates to sign-in data provided by patrons of 19 pubs and clubs in NSW, with a spokesperson for ClubsNSW confirming it was “aware of a cybersecurity incident involving a third-party IT provider”.

A group of unknown individuals claiming to be offshore developers subcontracted by Outabox, an IT firm providing sign-in and licence scanning technology to venues in NSW, posted on a website this week alleging to have access to large amounts of personal data.

They claimed this personal data included facial recognition biometrics, driver licence scans, signatures, addresses, dates of birth, and slot machine usage, and provided a search function for individuals to see if they had been caught up in the breach.

On the website, the anonymous individuals claimed they had not been paid by the company.

These claims cannot be independently verified.

In a statement posted on its website, Outabox said it was aware of a “potential breach of data by an unauthorised third party from a sign-in system used by our clients”.

“We are working as a priority to establish the facts around this incident, have notified the relevant authorities and are investigating in cooperation with law enforcement,” the statement said.

“We are restricted by how much information we are able to provide at this stage given it is currently under active police investigation.”

In a statement, Outabox said the company was aware of a “malicious website carrying a number of false statements designed to harm our business and defame our senior staff”.

Under NSW law, licensed clubs in the state must collect certain personal information from patrons upon entry, and keep it secure.

One of the venues impacted by the potential breach, the Hornsby RSL Club, notified its patrons of the breach on Wednesday night, saying that one of its “former external service providers” had suffered a cyber security incident.

The RSL said that the impacted supplier provided services to it from the start of 2021 to mid-2023.

The venues impacted by the ClubsNSW potential breach:

  1. Breakers Country Club
  2. Bulahdelah Bowling Club
  3. Central Coast Leagues Club
  4. City of Sydney RSL
  5. Club Old Bar
  6. Club Terrigal
  7. The Diggers Club
  8. East Maitland Bowling Club
  9. East Cessnock Bowling Club
  10. Erindale Vikings
  11. Fairfield RSL Club
  12. Gwandalan Bowling Club
  13. Halekulani Bowling Club
  14. Hornsby RSL Club
  15. Ingleburn RSL Club
  16. Merivale
  17. Mex Club Mayfield
  18. The Tradies Dickson
  19. West Tradies

Optus redux

HaveIBeenPwned.com founder and cybersecurity expert Troy Hunt said that concerns around the biometric data may be overblown, and the most significant worry is the presence of driver licences.

“The biometric line is a good headline but it’s likely a little hyperbolic,” Hunt posted on X.

“Data that a verifier captures in order to match biometrics is not necessarily usable in other contexts and possibly poses no real risk.

“Drivers’ licences, however, is Optus redux.

“They’ll all need replacing now.

“Signatures and photos are obviously immutable and combined with the other personal identifiers and are very useful for criminals.”

NSW Gaming and Racing minister David Harris said venues caught up in the breach should notify impacted customers.

“We’re really concerned about the potential impact on individuals and we will encourage clubs and hospitality venues to notify patrons whose information might be affected,” Harris said in a statement.

This isn’t even the first potentially significant data breach impacting the data of tens of thousands of Australians this week.

Earlier this week those using the Qantas app were able to see the boarding passes and details of other passengers for several hours.

Qantas said it had resolved the issue by midday on Wednesday and that “current investigations indicate that it was caused by a technology issue and may have been related to recent system changes”, and that there was no indication it was a cybersecurity incident.

Qantas said that app users were able to see the name, flight details, points balance and status of other customers, but no other personal information.