Police have launched an investigation into a data leak involving several ClubsNSW venues, with fears customers may have had their identity documents compromised.
The “cybersecurity incident” involves Outabox, a third-party IT provider used by hospitality venues and some overseas casinos. The technology used by the clubs includes front-of-venue sign-in systems.
Venues impacted include the Central Coast Leagues Club in Gosford, Breakers Country Club in Wamberal, City of Sydney RSL, Club Terrigal, Mex Club in Mayfield and Bulahdelah Bowling Club.
City of Sydney RSL Club was among the compromised venues.Credit: Google Street View
East Cessnock Bowling Club, Fairfield RSL, Gwandalan Bowling Club, Halekulani Bowling Club, Ingleburn RSL, Club Old Bar and West Tradies in Dharruk were also among the venues compromised.
“ClubsNSW has been made aware of a cybersecurity incident involving a third-party IT provider commonly used by hospitality venues, including fewer than 20 clubs,” a ClubsNSW spokesperson said.
“While limited information is currently known, we understand that some personal information of patrons of the clubs that use this IT provider may have been compromised. The clubs concerned are working towards notifying all impacted patrons.”
Cybersecurity experts have warned the leak could potentially be as serious as the Optus breach in 2022, which forced up to 10 million of its customers to replace their drivers’ licences.
Cybersecurity researcher Troy Hunt, the founder of data breach tracker Have I Been Pwned, said the fact that licence scans were likely caught up in the leak made it “Optus redux”.
“They’ll all need replacing now,” Hunt said of licences stolen in the latest Clubs NSW leak. “Signatures and photos are obviously immutable and combined with the other personal identities are very useful for criminals. This is a complete mess, and it will get very interesting.”
A spokesman for Merivale, which owns some of the venues that were named as being impacted, said they were not aware of any patrons’ data being stolen in the incident.
“We are taking this matter seriously and do not believe that our customer data has been compromised in this third-party data breach, based on the information available to us at this time.”
ClubsNSW has met with the impacted venues and the government as the full scope of the breach remains under investigation.
“We wish to assure club members that additional updates will be provided once further details are confirmed. In the interim, club patrons are advised to take extra caution when reviewing emails or texts and to avoid clicking on any suspicious or unfamiliar links,” the ClubsNSW spokesperson said.
A spokesperson for NSW Police confirmed an investigation had begun.
A website that appears to be set up by someone with knowledge of the Outabox systems claims that more than a million personal records have been compromised globally. The website claims facial recognition, licences, signatures and personal information like phone numbers and addresses have been compromised.
A search box on the website allows people to search their name to see if they have been impacted by the data leak.
“Outabox has become aware of a potential breach of data by an unauthorised third party from a sign-in system used by our clients,” the company said in a statement.
“We are working as a priority to determine the facts around this incident, have notified the relevant authorities and are investigating in co-operation with law enforcement.
“We are aware of a malicious website carrying a number of false statements designed to harm our business and defame our senior staff. We believe this is linked and urge people not to repeat false and reputationally damaging misinformation.”
Central Coast Leagues Club.Credit: Google Street View
Philip Bos, a cybersecurity expert and founder of software company BlueKee, said he is frustrated that pubs and clubs ask for so much personal information, and the incident could have easily been avoided.
“Why do they need to store sensitive information such as facial recognition, driver’s licence details, signatures and addresses when all that is required is proof of being over 18, and possibly proof of living more than 5 kilometres [away] if signing into a club as a guest?” Bos said.
“Businesses today usually use your name, date of birth and address to identify you, which is all the information that a hacker needs to steal to become you. Think of the mildest of motor vehicle accidents – you exchange particulars and have now given away enough for the recipient to become you.”
Tens of millions of Australians have been caught up in recent security breaches, including customers of Optus, HWL Ebsworth, Latitude Financial, Medibank, DP World, and Dymocks, in what’s being dubbed a “new normal” of consistent attacks and leaks.
The Optus breach led to new legislation significantly increasing penalties for serious or repeated breaches of customer data. Organisations that fail to protect peoples’ data adequately face fines of $50 million, or more.
“When Australians are asked to hand over their personal data they have a right to expect it will be protected,” Attorney-General Mark Dreyfus said when introducing the legislation in October 2022.
“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business.”
Most Viewed in National
https://news.google.com/rss/articles/CBMigAFodHRwczovL3d3dy5zbWguY29tLmF1L25hdGlvbmFsL25zdy9jbHVicy1uc3ctcGF0cm9ucy1hdC1yaXNrLW9mLWlkZW50aXR5LXRoZWZ0LWFmdGVyLXRoaXJkLXBhcnR5LWRhdGEtbGVhay0yMDI0MDUwMi1wNWZvOTUuaHRtbNIBAA?oc=5
2024-05-02 02:23:20Z
CBMigAFodHRwczovL3d3dy5zbWguY29tLmF1L25hdGlvbmFsL25zdy9jbHVicy1uc3ctcGF0cm9ucy1hdC1yaXNrLW9mLWlkZW50aXR5LXRoZWZ0LWFmdGVyLXRoaXJkLXBhcnR5LWRhdGEtbGVhay0yMDI0MDUwMi1wNWZvOTUuaHRtbNIBAA
Bagikan Berita Ini
0 Response to "NSW pubs patrons at risk of identity theft after third-party data leak - Sydney Morning Herald"
Post a Comment