2 May 2024

Canberra club members at risk of identity theft after major data breach

| James Coleman
Join the conversation
Vikings Erindale

Vikings Erindale has advised members to be cautious about communications that claim to be from OutABox or Vikings Group. Photo: File.

Members of two Canberra clubs may have had their drivers licences and other personal details shared online in a major data breach.

Licensed clubs in Australia are legally required to collect personal information from each patron upon entry, such as a signature, home address, birthday, phone number, club visit timestamps and gaming machine usage.

Australia-based IT company OutABox supplies casinos and clubs across Asia, Australia and the US with the systems used to collect and store this information.

However, a group of developers claims OutABox suddenly cut them off and refused to pay for a year-and-a-half of work. They have set up a site called haveibeenoutaboxed.com and claim to hold the records of 1,050,169 club customers.

“Call the venue that allowed your data to be leaked and demand removal of OutABox systems,” the website reads.

READ ALSO National firearms register in federal budget, three decades after initial agreement

The site claims people can determine if their data has been compromised via a search bar on the home page.

OutABox became aware of the “potential data breach” this morning (2 May).

“We are working as a priority to determine the facts around this incident, have notified the relevant authorities and are investigating in cooperation with law enforcement,” a statement from the company read.

“We are restricted by how much information we are able to provide at this stage given it is currently under active police investigation. We will provide further details as soon as we are able to.”

Sixteen licensed NSW clubs – as well as Vikings Erindale and The Tradies in Dickson – are believed to have been affected.

The Tradies in Dickson is one of the clubs affected. Photo: File.

In a statement, the Vikings Group (which also manages venues in Chisholm, Lanyon, and the Tuggeranong town centre) said the “extent of the impact is being investigated as an utmost priority”.

“We would like to assure our members that we take the protection of our data seriously and are working hard to gain a clearer picture from OutABox of the extent of this incident and to ensure appropriate support is provided to any individuals who are found to be affected.”

text message screenshot

Text message from the Tradies warning about the OutABox data breach. Image: Screenshot.

The NSW clubs include Breakers Country Club in Wamberal, Buladelah Bowling Club, Central Coast Leagues Club, Mex Club Mayfield, East Maitland Bowling Club, East Cessnock Bowling Club, Gwandalan Bowling Club, Halekulani Bowling Club, Club Old Bar, Club Terrigal, and West Tradies in Dharruk.

It’s understood that patrons don’t have to be club members to be affected by the data breach; a visit to the venue is enough.

NSW Police’s cybercrime squad is investigating the potential breach but said no further information was available as the investigation is ongoing. The Office of the Australian Information Commissioner (OAIC) is also involved.

READ ALSO ACT Greens’ ‘Big Bus Plan’ promises to deliver 100 more buses, 200 extra drivers, in two years

ClubsNSW oversees more than 1200 clubs across the state and has met with all of those involved.

“The clubs concerned are working towards notifying all impacted patrons,” a statement read.

“ClubsNSW is deeply concerned about the security of the data that is the subject of the breach. We have today met with all impacted clubs and are providing whatever support we can, noting again that the incident relates to a third-party provider.”

ClubsNSW urged all members to beware of scams and avoid clicking on links in suspicious or unknown emails and texts.

The Vikings Group echoed this call for caution.

“If our members receive any suspicious communications that claim to be from OutABox or Vikings Group, we ask that they do not respond and inform us by emailing outabox.incident@vikings.com.au so we can ensure this is escalated and appropriate support is provided.”

More to come.

Visit the Access Canberra website for more information on protecting your identity after a data breach or cyber-attack.

Join the conversation

All Comments
  • All Comments
  • Website Comments

Geez, the Tradies better fix their SMS — my spam detector is saying it’s spam. And who in their right mind would allow a link to an ‘unsubscribe’ service that looks like this: http://s1m.co/%5Ba code number] ?? … it’s precisely what a scammer would do – send you an obscure URL to click through and when you do it asks you for your phone number so you can be unsubscribed. There’s NO way of confirming that this SMS from ‘the Tradies’ is legit since if our data’s been stolen, so of course the scammer can address it to me personally. What a total ****.

HiddenDragon7:28 pm 02 May 24

“Licensed clubs in Australia are legally required to collect personal information from each patron upon entry…..”

Presumably because dodgy things can happen in such venues and demanding detailed personal information from all patrons, including the vast majority of honest, harmless people seemed like a good idea.

Aside from the risks of identity theft and ensuing crimes which arise every time one of these data honeypots is compromised, it’s as clear as it can be that the now almost out of control demands for personal information in this country have not saved us from (among other things) a rampant illicit drug which seems largely to operate as it wishes and all the related horrors, including gang warfare in a number of our cities.

Might be time for plodding politicians who wave through these sorts of laws “to keep us all safe” (and because “if you’re doing nothing wrong you’ve got nothing to worry about”) to think again about how best to protect the safety – in all respects – of the law abiding majority.

Daily Digest

Want the best Canberra news delivered daily? Every day we package the most popular Riotact stories and send them straight to your inbox. Sign-up now for trusted local news that will never be behind a paywall.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.