Canberra club members at risk of identity theft after major data breach

Members of two Canberra clubs may have had their drivers licences and other personal details shared online in a major data breach.

Licensed clubs in Australia are legally required to collect personal information from each patron upon entry, such as a signature, home address, birthday, phone number, club visit timestamps and gaming machine usage.

Australia-based IT company OutABox supplies casinos and clubs across Asia, Australia and the US with the systems used to collect and store this information.

However, a group of developers claims OutABox suddenly cut them off and refused to pay for a year-and-a-half of work. They have set up a site called haveibeenoutaboxed.com and claim to hold the records of 1,050,169 club customers.

“Call the venue that allowed your data to be leaked and demand removal of OutABox systems,” the website reads.

The site claims people can determine if their data has been compromised via a search bar on the home page.

OutABox became aware of the “potential data breach” this morning (2 May).

“We are working as a priority to determine the facts around this incident, have notified the relevant authorities and are investigating in cooperation with law enforcement,” a statement from the company read.

“We are restricted by how much information we are able to provide at this stage given it is currently under active police investigation. We will provide further details as soon as we are able to.”

Sixteen licensed NSW clubs – as well as Vikings Erindale and The Tradies in Dickson – are believed to have been affected.

In a statement, the Vikings Group (which also manages venues in Chisholm, Lanyon, and the Tuggeranong town centre) said the “extent of the impact is being investigated as an utmost priority”.

“We would like to assure our members that we take the protection of our data seriously and are working hard to gain a clearer picture from OutABox of the extent of this incident and to ensure appropriate support is provided to any individuals who are found to be affected.”

The NSW clubs include Breakers Country Club in Wamberal, Buladelah Bowling Club, Central Coast Leagues Club, Mex Club Mayfield, East Maitland Bowling Club, East Cessnock Bowling Club, Gwandalan Bowling Club, Halekulani Bowling Club, Club Old Bar, Club Terrigal, and West Tradies in Dharruk.

It’s understood that patrons don’t have to be club members to be affected by the data breach; a visit to the venue is enough.

NSW Police’s cybercrime squad is investigating the potential breach but said no further information was available as the investigation is ongoing. The Office of the Australian Information Commissioner (OAIC) is also involved.

ClubsNSW oversees more than 1200 clubs across the state and has met with all of those involved.

“The clubs concerned are working towards notifying all impacted patrons,” a statement read.

“ClubsNSW is deeply concerned about the security of the data that is the subject of the breach. We have today met with all impacted clubs and are providing whatever support we can, noting again that the incident relates to a third-party provider.”

ClubsNSW urged all members to beware of scams and avoid clicking on links in suspicious or unknown emails and texts.

The Vikings Group echoed this call for caution.

“If our members receive any suspicious communications that claim to be from OutABox or Vikings Group, we ask that they do not respond and inform us by emailing outabox.incident@vikings.com.au so we can ensure this is escalated and appropriate support is provided.”

More to come.

Visit the Access Canberra website for more information on protecting your identity after a data breach or cyber-attack.