A million Australian pubgoers wake up to find personal info listed on leak site

Man arrested and blackmail charges expected after allegations of unpaid contractors and iffy infosec

Updated Over a million records describing Australians who visited local pubs and clubs have apparently been posted online.

An anonymously published leak site claims the records came from a tech services company called Outabox.

The leak site, which The Register has visited but will not name or link to for legal reasons, offers a search facility that produces info on individuals’ names, partial addresses, and dates of birth – and the venue at which the information was recorded. The Register has verified that the leak site contains info that accurately describe people of our acquaintance.

The venues listed on the leak site are registered clubs - Australian institutions that typically combine a pub, a restaurant, a few slot machines, community and sporting facilities, function centers, and sometimes even a sizable theater.

Clubs enjoy tax exemptions for some food and drink sales to members, as many were founded as community hubs for military veterans. Members therefore sign in to clubs when they visit to prove they are eligible for the discounts on offer. Clubs capture those sign-ins, plus info on visitors, and data required under laws that regulate gambling and aim to make life hard for money-launderers.

In recent years, much of that data has been collected digitally.

Outabox appears to be in the business of collecting that sort of data for clubs, as it lists an entry management system called "Triagem" among its products, and describes it as "a state-of-the-art contactless sign-in kiosk that allows both members and guests to sign into the venue with ease." The kiosk can capture facial biometrics and match it to a database.

The leak site alleges Outabox contracted development of some software to offshore developers, and that those coders were given access to data gathered by gaming venues – including facial biometrics, scans of drivers' licenses, and club membership details. The leak site also claims that the outsourced developers were told by Outabox to back up that data into public clouds and suggests that allowing offshore workers unlimited access to personal data, and storing it offshore, is not best practice.

The leak site further alleges that Outabox didn't pay its outsourced contractors – but doesn't suggest those workers are responsible for the leak site.

The Register contacted Outabox. The biz offered us only a “no comment” response, and would not provide an email address we could use to send further questions.

However Outabox's website contains a statement that declares it "has become aware of a potential breach of data by an unauthorized third party from a sign in system used by our clients" and is "working as a priority to determine the facts around this incident, have notified the relevant authorities and are investigating in cooperation with law enforcement."

ClubsNSW – the peak body for all licensed clubs in the Australian State of New South Wales – has advised members that it has "been made aware of a cyber security incident involving a third-party IT provider commonly used by hospitality venues, including 16 clubs" and that "some personal information of patrons of the clubs that use this IT provider may have been compromised."

Wests Tradies, a registered club, has posted [PDF] a privacy breach notice, acknowledging it has used a third-party tech company for "ID scanning software and gaming system software," and that the business "has notified the club that it is a target of a cyber extortion campaign."

The privacy breach notice also states: "The club did not authorize, permit, or know that the external IT provider had provided any information obtained from the club to third parties."

Local authorities are investigating the matter, which is being treated as a data breach.

Troy Hunt, founder of leak-tracking website haveibeenpwned.com, used his X account to suggest those named in the breach will need to replace their drivers' licenses.

That requirement could make this an expensive exercise for whoever leaked the data. Past data breaches in Australia have seen victim companies foot the bill for their customers' replacement credentials after breaches. ®

UPDATED AT 08:20 UTC MAY 2nd: Police have arrested a man over the breach. A statement reveals a 46 year-old Sydney man was detained and "is expected to be charged with blackmail."

More about

TIP US OFF

Send us news


Other stories you might like