4 May 2024

Canberra club members believed to be spared worst of data breach

| James Coleman
Join the conversation
man at lectern

ClubsACT CEO Craig Shannon says local members have been “minimally affected”. Photo: Thomas Lucraft.

Canberra’s club industry is still wrestling with the ramifications of a major data breach hours after a breakthrough in the case.

A 46-year-old Sydney man was arrested for blackmail at around 4:20 pm yesterday (2 May) after NSW Police raided a home in Fairfield West. The man was taken to Fairfield Police Station and charged with demanding with menace while intending to obtain gain or cause loss.

The force’s cybercrime squad was deployed to investigate after Australia-based IT company OutABox revealed yesterday morning a potential breach of its systems had affected 16 clubs in NSW and two in Canberra.

The company provides the tech used to collect and store the personal information from each club’s patron upon entry, such as a signature, home address, birthday, phone number, club visit timestamps and gaming machine usage.

READ ALSO Canberra club members at risk of identity theft after major data breach

A group of disgruntled developers claimed OutABox suddenly cut them off and refused to pay for a year-and-a-half of work. They have launched a website where they claim the private details of more than a million club customers have been leaked online.

The website reads, “Call the venue that allowed your data to be leaked and demand removal of OutABox systems.”

Vikings Erindale and The Tradies in Dickson are on the list of affected venues.

In a statement, the Vikings Group (which also manages venues in Chisholm, Lanyon and the Tuggeranong town centre) urged its members to “not respond” to “any suspicious communications that claim to be from OutABox or Vikings Group” while the matter is investigated with “utmost priority”.

Vikings Erindale

Vikings Erindale and The Tradies in Dickson may have been affected by the breach. Photo: File.

The Tradies sent a similar message to all of its members and visitors they have on record but clarified any affected data was old.

The statement read, “The impacted provider supplied technology and services to assist us with our member sign-in process.”

“We no longer use this service provider. We are working with the provider to identify the extent to which any data relating to Canberra Tradesmen’s Union Club [the Tradies], including any personal information, may be involved.”

ClubsACT represents more than 40 licensed clubs in the ACT and echoes that its members have moved away from using OutABox technology since COVID.

“The exposure to our market … was quite limited because most, if not all, of the clubs have already moved on to different technology,” CEO Craig Shannon told Region.

It’s understood any leaked data is from around this time and not recent.

READ ALSO Literacy and numeracy findings a ‘game changer’ for ACT public schools

There are more than 200,000 club memberships across the ACT, but Mr Shannon says Vikings Erindale and The Tradies are yet to determine exactly how many of their customers may have been affected.

“There’s a view the ACT has been minimally affected in terms of numbers, compared to other jurisdictions.”

Mr Shannon said the focus remains on the current investigation, and clubs will continue to keep members up to date with developments.

As for how long this will take, he said, “It’s a piece of string”.

“Our clubs are always reviewing this type of security and have high levels of consciousness about the issues involved,” he said.

“It’s very difficult to control things outside your own environment, but we’ll work with whatever learnings come out of this.”

The Alliance for Gambling Reform (AGR) took the opportunity to “spotlight the need for cashless gambling cards”.

“This breach highlights just how unaccountable clubs are and how haphazard they are with the mountain of private information they routinely collect from the public – without direct consent,” CEO Carol Bennett said.

person playing poker machine

The ACT Government is encouraging clubs to move away from gaming machines as a source of revenue. Photo: duallogic.

A cashless gambling card is linked to an online account or digital wallet, and rather than physical cash, credits are transferred to and from a gaming machine.

AGR has previously promoted it as a way of kerbing the $27 billion Australians lose in gambling each year (and the associated harm), and the ACT Government launched an inquiry into how it could work locally last year.

Mr Shannon said this is “completely the wrong lesson to take away” from the data breach and argued a cashless gambling system replaces one digital storage system with another.

“That’s a lot of faith in your own system.”

The Tradies and Vikings Group were contacted for comment.

Visit the Access Canberra website for more information on protecting your identity after a data breach or cyber-attack.

Join the conversation

All Comments
  • All Comments
  • Website Comments

Joller, thank you for that link. My name, address and birth date is included in this data breach, even though my membership of the Tradies lapsed many years ago. I will write to the Tradies to complain, though I do not expect any real action by the Tradies.

Anythingbutzen2:29 pm 04 May 24

Some time back I went to the tradies club to met a friend for a meal . In order to enter I was forced to provide personal information not relevant or needed. Stuck between a rock and a hard place I gave them my details . I had hoped they might delete them at some point. And because of this data storage breach, my details may have been compromised. Very worrying that businesses have no respect for security of our
Personal information. Not good enough.

Glad they think we are spared the worst here, obviously in the least my name, address and dob is out there is not that bad….. or the same details of my kid who aint even a member of the club (had her licence scanned when i signed her in) is also on the list. Why the hell do they even need to keep details of non members. Havent heard crickets from the club they have my mobile number cause i get text messages from them advertising promotions. My guess is if you are a member of one of these canberra clubs or have had your licence scanned as a guest then you details are out thete now….

It is really outrageous that the clubs can scan your IDs and keep all the info about you. Just a disaster waiting to happen.

I shudder to think that the next breach could be of a real estate database, for the amount of personal information they collect is truly staggering.

There should be a law to stipulate what kind of personal information businesses can collect and store for any particular use.

There have been a number of data breaches reported from real estate agencies in the last couple of years

Don’t buy this narrative for a second. I haven’t had a membership with Tradies for 15 years, and my details are on https://haveibeenoutaboxed.com/ Name, address, date of birth. Yet, they haven’t contacted me, unlike their claim. As is often the case, there in no data culling, and once you’re in the system, you’re in the system forever.
““There’s a view the ACT has been minimally affected in terms of numbers, compared to other jurisdictions.”
Yet a person who hasn’t been a member for 15 years has their data leaked!

Carolyn Zochling8:03 pm 03 May 24

Thank you for posting the link. So disappointing as my family is caught up in it and no contact from the Tradies!

Daily Digest

Want the best Canberra news delivered daily? Every day we package the most popular Riotact stories and send them straight to your inbox. Sign-up now for trusted local news that will never be behind a paywall.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.