Breaking: ClubsNSW, OutABox data breach not a hack, NSW Police ...

NSW Police has released a statement announcing the arrest of a man over the website that was threatening to share the data of millions of NSW residents:

Cybercrime Squad detectives investigating an alleged data breach threatening to share the personal details of over one million people have arrested a man in Fairfield West.

Yesterday (Wednesday 1 May 2024), officers attached to State Crime Command’s Cybercrime Squad were alerted to a website which had published the personal information of patrons who signed-in using their drivers’ licences at specific premises across NSW.

Cybercrime Squad detectives worked closely with Federal and State agencies to contain the breach and commenced an investigation under Strike Force Division.

Following extensive inquiries, about 4.20pm today (Thursday 2 May 2024), strike force detectives executed a search warrant in Fairfield West.

At the address, police arrested a 46-year-old man. He will be taken to Fairfield Police Station where he is expected to be charged with blackmail.

Our original story follows below:

Senior members of NSW Police have given a press conference over an alleged data breach that has possibly impacted millions of customers of a string of NSW pubs and clubs.

Sign-in provider OutABox released a statement regarding “a potential breach of data by an unauthorised third party” on Thursday (2 May) morning, after an anonymous website claimed to have inside information on the breach – including what data was involved.

As knowledge of that site circulated, ClubsNSW released its own statement: “ClubsNSW has been made aware of a cyber security incident involving a third-party IT provider commonly used by hospitality venues, including fewer than 20 clubs.”

“While limited information is currently known, we understand that some personal information of patrons of the clubs that use this IT provider may have been compromised. The clubs concerned are working towards notifying all impacted patrons.”

Now, according to police, the anonymous website could have been established by the perpetrators of the data breach itself.

“That internet site was established a number of days ago and only really become known to the public in the last 24 hours to 48 hours,” a NSW Police spokesperson said.

“We’ve been working with our state and federal partners, and also international partners, in order to take down that website and, at the very least, to disrupt that website and to stifle the ability for information of members of the public who have utilised those clubs and their data to be released to the wider community.”

Police said NSW’s cyber crime squad is working on the investigation and that it may involve several offences, including blackmail and possession of data and personal information for unlawful purposes.

The police spokesperson said that they were not currently treating the alleged data breach as a hack but rather an issue with a third-party provider given “their ability to obtain that information and release it unlawfully”.

Also, while some commenters and media outlets have said that those customers impacted should change their driver’s licence immediately, NSW Police is recommending people await further advice. As to whether any prominent NSW individuals were caught up in the data breach, as has been reported, the police spokesperson said it is too soon to know any specifics.

“With a million people’s names being within those 17 to 19 clubs throughout New South Wales, there is no doubt there are individuals of some prominence in that total set of people,” the spokesperson said.

“I’m not going to go into specifics of any particular individual. Suffice to say that we’re engaging people that we need to engage at very early stages and alerting them to the fact that their names may have been released to the public.”

OutABox is actively assisting police with their inquiries and “helping to limit the amount of data that’s being released to the public”.

When asked if an arrest could be made in relation to the data breach, the police spokesperson said they were hopeful one could be made soon and that, currently, investigations are focused on Australia.

“But we most certainly are engaging other agencies, other companies and website controllers in other countries throughout the world,” the spokesperson said.

The national cyber security coordinator, Lieutenant General Michelle McGuinness, CSC, has also released a statement on the data breach, saying in a LinkedIn post that the “Australian government is coordinating the response to a cyber incident affecting a number of clubs and other licensed venues in NSW and the ACT”.

“The incident involves a content management and data storage provider, OutAbox, that provides services to the hospitality and gaming sectors in NSW and the ACT. My team is working directly with OutAbox on coordinating the response to the incident and on understanding what its impacts are.”

LTGEN McGuinness also said that curious individuals should not seek to access the data and that it is an offence to deal with stolen information.

“I know this will be distressing for those who have been impacted, and we are working as quickly as we can, alongside OutABox, to ascertain the full scale of the breach,” LTGEN McGuinness said.

“We are working closely with the NSW and ACT governments on behalf of the impacted clubs and venues.”

According to LTGEN McGuinness, the Office of the Australian Information Commissioner has been advised the Australian Signals Directorate’s Australian Cyber Security Centre is offering any assistance needed to manage the response to the incident.