radiofree.asia

Club visitors’ personal details exposed in data breach

The personal details of Australians who visited more than a dozen licensed venues have been exposed as investigators vow to shut down the offending website. 

Aggrieved workers at an IT provider appear to have publicised the personal details of patrons who signed in at 17 NSW venues, including signatures and drivers licenses, to an unauthorised website.

Detective Chief Superintendent Grant Taylor said the site was live “a number of days ago” but “only really became known to the public in the last 24 hours to 48 hours”.

“We believe it’s a breach of a third party provider,” he told reporters on Thursday.

Registered clubs are required by law to document and store the personal details of patrons entering their venues in NSW. 

Detective Superintendent Grant Taylor
NSW Detective Superintendent Grant Taylor says the breach became known in the last 24 to 48 hours. (Bianca De Marchi/AAP PHOTOS)

The third-party IT provider contracted to collect the data had sent it offshore to another contractor.

The records were published online, with allegations contracted software developers in the Philippines had not been paid.

Some affected clubs had already severed contracts with the third-party provider, including in one case because it was sending data offshore.

Det Supt Taylor said investigators were working to limit the data that’s been released and to manage its tracking as effectively as possible.

Police are urging patrons to wait until they are advised they have been affected by the breach before changing any details.

But privacy protection expert Philip Bos said the breach illustrates how Australians are often forced to hand over information to organisations which don’t know how to handle confidential data correctly or safely.

NSW Gaming Minister David Harris said the breach was worrying.

“We’re really concerned about the potential impact on individuals and we will encourage clubs and hospitality venues to notify patrons whose information might be affected,” Mr Harris said. 

The exposed records include visitation data, meaning some of the one million records will be near-duplicates.

Alliance for Gambling Reform said the breach could have been avoided by a centralised, secure universal cashless gambling card system. 

“This breach highlights just how unaccountable clubs are and how haphazard they are with the mountain of private information they routinely collect from the public, without direct consent,” chief executive Carol Bennett said in a statement. 

NSW Gaming Minister David Harris (file image)
David Harris is worried about the potential impact on people whose data is exposed. (Bianca De Marchi/AAP PHOTOS)

One club affected by the data breach posted to Facebook that it used the provider from January 2021 to October 2022, but no longer used their services. 

Club Old Bar said it had started an investigation and was working with the provider to identify the extent to which any data relating to the club may be involved. 

The third party IT company, Outabox, said it was investigating the potential breach by an “unauthorised third party from a sign-in system” and had alerted authorities. 

“We are restricted by how much information we are able to provide at this stage given it is currently under active police investigation,” it said.

Investigators overloaded the site on Thursday to disable further searching of records.

CLUBS AFFECTED BY DATA BREACH:

* Breakers Country Club 

* Bulahdelah Bowling Club 

* Central Coast Leagues Club 

* Mex Club Mayfield 

* City of Sydney RSL 

* East Maitland Bowling Club 

* East Cessnock Bowling Club 

* Fairfield RSL Club 

* Gwandalan Bowling Club 

* Halekulani Bowling Club 

* Hornsby RSL Club 

* Ingleburn RSL Club 

* Club Old Bar 

* Club Terrigal 

* The Tradies Dickson 

* Erindale Vikings

PUBS AFFECTED

* Merivale

This post was originally published on Michael West.