Over a million records detailing the visits of Australians to local pubs and clubs have been leaked online, with the information apparently originating from Outabox, a tech services company. The leak, which was reported by The Register, includes sensitive personal information such as names, partial addresses, dates of birth, and details of the venues visited. This data was digitally collected by Outabox through a state-of-the-art contactless sign-in kiosk called “Triagem,” which is designed to manage entry for members and guests and can capture facial biometrics.
The leak site suggests that Outabox had contracted the development of some of its software to offshore developers who were given access to this sensitive data, including facial biometrics and scans of driver’s licenses. Moreover, these developers were instructed to back up the data into public clouds, a practice that is not considered secure. The leak site also alleges that these offshore developers were not paid by Outabox, although it does not imply that the unpaid developers were responsible for the leak.
Following the discovery of the breach, Outabox acknowledged the potential data breach by an unauthorized third party on its website and stated that it is working with law enforcement to investigate the matter. ClubsNSW, the peak body for licensed clubs in New South Wales, and Wests Tradies, a registered club, have informed their members about the cyber security incident involving a third-party IT provider that is commonly used by hospitality venues, indicating that personal information might have been compromised.
The incident has garnered significant attention, prompting local authorities to launch an investigation into the breach, which is being treated as a serious data breach. Troy Hunt, the founder of haveibeenpwned.com, suggested on social media that those affected by the breach may need to replace their driver’s licenses, hinting at the breach’s potential personal and financial impact on the victims. The breach culminated in the arrest of a 46-year-old man from Sydney on charges of blackmail, highlighting the severity and criminal nature of the data exposure.
