An unauthorised website claims personal information of more than 1 million customers from at least 17 licensed NSW clubs have been released online in a potential data breach.
Cybercrime detectives are investigating the reported breach with the website claiming to have records and personal information of senior government figures, including Premier Chris Minns, Deputy Premier Prue Car and Police Minister Yasmin Catley.
IT provider Outabox said in a statement it had become aware of the potential data breach of a sign-in system used by its clients by an “unauthorised” third party.
“We are working as a priority to establish the facts around this incident, have notified the relevant authorities and are investigating in cooperation with law enforcement,” Outabox said in a statement.
“We are restricted by how much information we are able to provide at this stage given it is currently under active police investigation.”
It is a legal requirement in NSW for licensed clubs to collect personal information from patrons on entry, under the state’s registered clubs legislation.
The information is required to be stored securely under federal privacy laws.
Government agency ID Support NSW confirmed 17 licensed clubs across NSW have been implicated in the data breach, including:
- Breakers Country Club
- Bulahdelah Bowling Club
- Central Coast Leagues Club
- Mex Club Mayfield
- City of Sydney RSL
- East Maitland Bowling Club
- East Cessnock Bowling Club
- Fairfield RSL Club
- Gwandalan Bowling Club
- Halekulani Bowling Club
- Hornsby RSL Club
- Ingleburn RSL Club
- Merivale
- Club Old Bar
- Club Terrigal
- The Tradies Dickson
- Erindale Vikings
Not just members affected
Gaming Minister David Harris said the government and police first became aware of the potential breach on Tuesday.
“We know that this is an alleged data breach of a third-party vendor, so it wasn’t a hack,” he said.
“There was a high-level meeting yesterday and the authorities, cybersecurity and police organisations are currently investigating that and when we get authorisation we can give more information.”
Mr Harris said patrons did not have to be a member of a club to be potentially impacted.
“If you had visited those venues then potentially you would be involved in this,” he said.
Cybercrime squad are investigating
ID Support NSW said it would assist customers impacted by the incident.
“We are concerned about the potential impact on individuals and urge clubs and hospitality venues to notify patrons whose information is affected,” it said in a statement.
“ID Support NSW is also available to help those affected reduce their risk of identity theft following this incident.”
NSW Police have confirmed detectives from the state’s cybercrime squad are investigating the potential breach, but said no further information was available as the investigation is ongoing.
ClubsNSW said in a statement that information on the breach is limited.
“The clubs concerned are working towards notifying all impacted patrons,” he said.
“ClubsNSW is deeply concerned about the security of the data that is the subject of the breach. We have today met with all impacted clubs and are providing whatever support we can, noting again that the incident relates to a third-party provider.”
ClubsNSW urged all club members to watch out for scams and avoid clicking on links in suspicious or unknown emails and texts.