ClubsNSW concerned over potential OutABox data breach

OutABox, an IT vendor that provides sign-in and other IT systems for several entertainment venues across NSW, has said it may have been impacted by a potential data breach.

OutABox has not yet revealed what data may have been accessed or the number of individuals impacted, but it has released a short statement.

“OutAbox has become aware of a potential breach of data by an unauthorised third party from a sign-in system used by our clients,” an OutABox spokesperson said.

“We are working as a priority to determine the facts around this incident, have notified the relevant authorities and are investigating in cooperation with law enforcement.

“We are restricted by how much information we are able to provide at this stage, given it is currently under active police investigation. We will provide further details as soon as we are able to.

“We understand this news may cause concern to our staff, clients and their customers, and we thank them for their support and patience as we work to resolve this as swiftly as possible.”

OutABox’s website is currently down, though whether this is a result of the incident or due to other circumstances is unknown.

Meanwhile, an anonymous individual has created a website detailing the means and motive of the alleged cyber attack, along with a searchable database of affected individuals. However, it is unclear what relationship the site and its creator have to the attack or to OutABox itself. Cyber Daily understands that the information the site presents may not be accurate, despite being widely reported in the media.

However, given the impact of the possible breach, ClubsNSW has said it is concerned over the possible loss of personal data used to identify and sign in club patrons.

“ClubsNSW has been made aware of a cyber security incident involving a third-party IT provider commonly used by hospitality venues, including fewer than 20 clubs,” a ClubsNSW spokesperson said in a widely reported statement.

“While limited information is currently known, we understand that some personal information of patrons of the clubs that use this IT provider may have been compromised. The clubs concerned are working towards notifying all impacted patrons.

“We wish to assure club members that additional updates will be provided once further details are confirmed. In the interim, club patrons are advised to take extra caution when reviewing emails or texts and to avoid clicking on any suspicious or unfamiliar links.”

NSW Police has confirmed it is investigating the incident, and David Harris – NSW’s gaming and racing minister – has also expressed concern.

“We’re really concerned about the potential impact on individuals, and we will encourage clubs and hospitality venues to notify patrons whose information might be affected,” Harris said in a statement.

A spokesperson for the Merivale group of venues, which has been implicated in the leak, has said that so far no Merivale customer data has been affected.

“We are taking this matter seriously and do not believe that our customer data has been compromised in this third-party data breach, based on the information available to us at this time,” a spokesperson said.

Central Coast Leagues Club CEO Edward Camilleri, however, has said that while he is concerned, his club only used OutABox's services for a short period of time.

"The impacted provider supplied technology and services to assist us with our Club sign-in process from June 2021 to February 2023… The products used have been removed from the Club," Camilleri said in a statement to media.

He added that some “personal information of members and visitors of clubs may have been compromised”.

"We are of course concerned and are taking urgent action to protect our members, guests and patrons. We wish to assure club members and guests that additional updates will be provided once further details are confirmed. In the interim, club patrons are advised to take extra caution when reviewing emails or texts and to avoid clicking on any suspicious or unfamiliar links."

NSW Police also released a statement on Thursday afternoon, saying it is aware of a site hosting the data breach.

"Detectives are working closely with other federal and state agencies to contain the breach and have the site taken offline as a matter of priority," said Detective Acting Superintendent Gillian Lister, Commander of the NSW Police's cybercrime squad.

"Now is the optimal time to make sure your cyber hygiene is good; you have strong passwords and are using two-factor authentication where possible. If you think your details may have been compromised, use extra caution when reviewing emails or texts and never click on a suspicious or unfamiliar link."

UPDATE 02/05/24: Updated throughout the day with further commentary.