Canberra club members believed to be spared worst of data breach

Canberra’s club industry is still wrestling with the ramifications of a major data breach hours after a breakthrough in the case.

A 46-year-old Sydney man was arrested for blackmail at around 4:20 pm yesterday (2 May) after NSW Police raided a home in Fairfield West. The man was taken to Fairfield Police Station and charged with demanding with menace while intending to obtain gain or cause loss.

The force’s cybercrime squad was deployed to investigate after Australia-based IT company OutABox revealed yesterday morning a potential breach of its systems had affected 16 clubs in NSW and two in Canberra.

The company provides the tech used to collect and store the personal information from each club’s patron upon entry, such as a signature, home address, birthday, phone number, club visit timestamps and gaming machine usage.

A group of disgruntled developers claimed OutABox suddenly cut them off and refused to pay for a year-and-a-half of work. They have launched a website where they claim the private details of more than a million club customers have been leaked online.

The website reads, “Call the venue that allowed your data to be leaked and demand removal of OutABox systems.”

Vikings Erindale and The Tradies in Dickson are on the list of affected venues.

In a statement, the Vikings Group (which also manages venues in Chisholm, Lanyon and the Tuggeranong town centre) urged its members to “not respond” to “any suspicious communications that claim to be from OutABox or Vikings Group” while the matter is investigated with “utmost priority”.

The Tradies sent a similar message to all of its members and visitors they have on record but clarified any affected data was old.

The statement read, “The impacted provider supplied technology and services to assist us with our member sign-in process.”

“We no longer use this service provider. We are working with the provider to identify the extent to which any data relating to Canberra Tradesmen’s Union Club [the Tradies], including any personal information, may be involved.”

ClubsACT represents more than 40 licensed clubs in the ACT and echoes that its members have moved away from using OutABox technology since COVID.

“The exposure to our market … was quite limited because most, if not all, of the clubs have already moved on to different technology,” CEO Craig Shannon told Region.

It’s understood any leaked data is from around this time and not recent.

There are more than 200,000 club memberships across the ACT, but Mr Shannon says Vikings Erindale and The Tradies are yet to determine exactly how many of their customers may have been affected.

“There’s a view the ACT has been minimally affected in terms of numbers, compared to other jurisdictions.”

Mr Shannon said the focus remains on the current investigation, and clubs will continue to keep members up to date with developments.

As for how long this will take, he said, “It’s a piece of string”.

“Our clubs are always reviewing this type of security and have high levels of consciousness about the issues involved,” he said.

“It’s very difficult to control things outside your own environment, but we’ll work with whatever learnings come out of this.”

The Alliance for Gambling Reform (AGR) took the opportunity to “spotlight the need for cashless gambling cards”.

“This breach highlights just how unaccountable clubs are and how haphazard they are with the mountain of private information they routinely collect from the public – without direct consent,” CEO Carol Bennett said.

A cashless gambling card is linked to an online account or digital wallet, and rather than physical cash, credits are transferred to and from a gaming machine.

AGR has previously promoted it as a way of kerbing the $27 billion Australians lose in gambling each year (and the associated harm), and the ACT Government launched an inquiry into how it could work locally last year.

Mr Shannon said this is “completely the wrong lesson to take away” from the data breach and argued a cashless gambling system replaces one digital storage system with another.

“That’s a lot of faith in your own system.”

The Tradies and Vikings Group were contacted for comment.

Visit the Access Canberra website for more information on protecting your identity after a data breach or cyber-attack.