Clubs NSW data breach leaves patterns at risk of identity theft

“They’ll all need replacing now,” Hunt said of driver’s licenses stolen in the latest Clubs NSW leak. “Signatures and photos are obviously immutable and combined with the other personal identities are very useful for criminals.

“This is a complete mess, and it will get very interesting.”

A Merivale spokesperson said they were not aware of any of their patrons’ data being stolen in the incident.

“We are taking this matter seriously and do not believe that our customer data has been compromised in this third-party data breach, based on the information available to us at this time.”

ClubsNSW has met with the impacted venues and the government as the full scope of the breach remains under investigation.

“We wish to assure club members that additional updates will be provided once further details are confirmed. In the interim, club patrons are advised to take extra caution when reviewing emails or texts and to avoid clicking on any suspicious or unfamiliar links,” the ClubsNSW spokesperson said.

A spokesperson for NSW Police confirmed an investigation had begun.

A website that appears to be set up by someone with knowledge of the Outabox systems claims that more than a million personal records have been compromised globally. The website claims facial recognition, licenses, signatures and personal information like phone numbers and addresses have been compromised.

A search box on the website allows people to search their name to see if they have been impacted by the data leak.

“Outabox has become aware of a potential breach of data by an unauthorized third party from a sign-in system used by our clients,” the company said in a statement.

“We are working as a priority to determine the facts around this incident, have notified the relevant authorities and are investigating in cooperation with law enforcement.

“We are aware of a malicious website carrying a number of false statements designed to harm our business and defame our senior staff. “We believe this is linked and urge people not to repeat false and reputationally damaging misinformation.”

Philip Bos, a cybersecurity expert and founder of software company BlueKee, said he’s frustrated that pubs and clubs ask for so much personal information, and the incident could have easily been avoided.

“Why do they need to store sensitive information such as facial recognition, driver’s license details, signatures and addresses when all that is required is proof of being over 18, and possibly proof of living more than 5km if signing into a club as a guest? ” Bos said.

“Businesses today usually use your name, date of birth and address to identify you, which is all the information that a hacker needs to steal to become you. Think of the mildest of motor vehicle accidents – you exchange particulars and have now given away enough for the recipient to become you.”

Tens of millions of Australians have been caught up in recent security breaches including customers of Optus, HWL Ebsworth, Latitude Financial, Medibank, DP World and Dymocks, in what’s being dubbed a “new normal” of consistent attacks and leaks.

The Optus breach led to new legislation significantly increasing penalties for serious or repeated breaches of customer data. Organizations that fail to protect people’s data adequately face purposes of $50 million or more.

“When Australians are asked to hand over their personal data they have a right to expect it will be protected,” Attorney-General Mark Dreyfus said when introducing the legislation in October 2022.

“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. “It’s not enough for a penalty for a major data breach to be seen as the cost of doing business.”

Start the day with a summary of the day’s most important and interesting stories, analysis and insights. Sign up for our Morning Edition newsletter.