Over a million Australians who frequented pubs and clubs have likely had their critical information exposed in Outabox data breach, a third-party content management and data storage provider for the hospitality and gaming sectors in the New South Wales and the Australian Capital Territory.
According to the Outabox official website, the company founded in 2017 provides several services to clients in the gaming and entertainment industry across Australia, Asia and the US.
Outabox confirmed the breach and said it likely took place “from a sign in system used by our clients.” It did not respond to any further requests for details on what type of data was likely impacted.
The company has a facial recognition kiosk called TriAgem, which is deployed at entry points of clubs to scan patrons’ temperatures (used in post-covid days) and verify their membership on entry. Outabox did not confirm if this data was also impacted in the data breach incident.
“We are restricted by how much information we are able to provide at this stage given it is currently under active police investigation. We will provide further details as soon as we are able to,” Outabox said.
Australia’s National Cyber Security Coordinator said the government is coordinating a response in the Outabox data breach incident with local authorities in the NSW and ACT.
“I know this will be distressing for those who have been impacted and we are working as quickly as we can, alongside Outabox, to ascertain the full scale of the breach,” said Lieutenant General Michelle McGuinness, who recently took over the role of the National Cyber Security Coordinator.
The NSW government acknowledged that it was aware of the incident and was “concerned” of the potential impact on individuals. “We encourage clubs and hospitality venues to notify patrons whose information is affected,” it said.
NSW’s West Tradies Sends Breach Notifications
One such club, West Tradies, has issued a breach notification to its customers saying its external IT provider was “a target of a cyber extortion campaign.” It added that, “At this stage, we do not know if all patrons, or only some patrons, have been affected.”
“On the evening of 29 April 2024, we were formally notified by the external IT provider that it has been the target of a “cyber extortion campaign” and that an overseas third party is threatening to release personal information unless their demands are complied with,” West Tradies Club said.
All registered clubs in New South Wales are required to keep certain information about members and guests under the Registered Clubs Act. Clubs are also required to keep certain information to comply with their responsible gambling and Anti-Money Laundering and Counter-Terrorism Financing obligations.
To comply with these norms, West Tradies, used an external IT provider that would assist in keeping these records and operate its systems, it clarified.
More than 1 million Impacted in Outabox Data Breach?
A website that claims to allow people to search their names in the leaked database appeared on the open internet recently. The domain haveibeenoutaboxed[.]com, appears to be similar to a service provided by another Australian data leak search provider but it does not claim any links to it.
The information posted on this website claims that facial recognition biometric, driver license scans, signature, club membership data, address, birthday, phone number, club visit timestamps, and slot machine usage is included in this data set. There are allegedly 1,050,169 records in the leaked data set and a simple name search shows redacted details of the patrons of different clubs.
Majority of personally identifiable information has been removed at this stage.
Unpaid Overseas Developers the Cyber Extortionists?
The data leak search website is allegedly controlled by an offshore development team in the Philippines. Outabox hired offshore developers from the Philippines to create software systems that are installed at casinos and nightclubs across several countries. However, after a year and a half of work, the developers were abruptly cut off and left unpaid by Outabox, the owner of the leak site claimed.
“While this outsourcing strategy is common in the industry, what followed was far from standard practice. The developers were granted unrestricted access to the back-end systems of gaming venues, including access to raw data,“ the leak site stated.
Douglas Kirkham, the chief executive officer of West Tradies said “the Club was unaware that any data held by the Club had been disclosed to any third parties or that it had been disclosed overseas. If the allegations are true, those actions were taken without the Club’s knowledge or consent.”
“The Club did not authorise, permit, or know that the external IT provider had provided any information obtained from the Club to third parties.”
The Office of the Australian Information Commissioner has advised it has been notified by some impacted entities and is expecting to receive further notifications. Nearly 20 clubs have been listed on the leak site.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.