UPDATE: ARREST MADE OVER ALLEGED DATA BREACH

What appears to be a disgruntled group of software engineers in the Phillipines seem to be behind a site exposing the data of up to one million people in what could become a massive potential identity fraud risk, after the details used to sign into many registered clubs was made searchable through an online portal this week.

The group, on a website we cannot verify in any way, claim to be developers in the Phillipines who were allegedly contracted by Australian company “Outabox” to build the software for their systems. Those systems Outabox provides to registered clubs to be used at the front entrance for people to sign in as is required in registered clubs.

From what we can see, Outbox machines scan and capture the drivers licence of a user, take the details and incorporate into a user database. Facial recognition is used to match the licence to the user, and a signature is kept, the website of Outabox is not available tonight, so we cannot verify the exact details of their machines.

These developers were allegedly contracted to build out these systems, and make the claim that after 18 months of work, they were cut off from the job, and left unpaid.

However, during their time working on the systems they claim to have had full and complete access to the data, which includes – in addition to those licence details, content from gaming databases (from the poker machine company/s) and – they claim, they exported the entire membership data.

If true, that data is potentially far more damaging than even people’s drivers licences because it includes phone numbers and slot machine usage.

A spokesperson for Outabox told EFTM tonight that “Outabox is aware and responding to a cyber incident potentially involving some personal information.

“We have been in communication with a group of our clients to inform them and outline our strategy to respond. Due to the ongoing Australian police investigation, we are not able to provide further information at this time.

“We are aware of a malicious website carrying a number of false statements designed to harm our business and defame our senior staff. We believe this is linked and urge people not to repeat false and reputationally damaging misinformation.”

The people releasing this data have made it possible for people to search for their own names, to see if they are affected. With the results, at this stage, masking out private details:

While EFTM cannot verify the totality of the data on the site, or validate any of the claims being made, it’s clear to me that there’s some level of truth to the story, given my own data is on the website.

As if to prove they have the information, these searches are free and public, and because they don’t ask to validate any information, do not in our mind pose a security risk of their own.

Again, in an attempt to validating their data, they show on their site the details of one user, including a facial photo, licence and signature

No demands for payment, ransom or otherwise are made by the website, in fact, they simply encourage people to contact their club to remove the Outabox systems – until we know the full story, users should not do anything – instead wait for advice from the relevant authorities.

But, it seems clear to us, there’s little doubt they are keen to be paid – whether they are owed any money in the first place is something lawyers and law enforcement will need to work out.

Clubs have been meeting today frantically working out next steps, and my local club the Hornsby RSL tonight contacted it’s members with this statement:

At 1900 hours on 29 April 2024, Hornsby RSL Club was informed that one of our former external service providers suffered a cyber security incident. Our internal IT systems have not been impacted.
 
The impacted provider supplied technology and services to assist us with our Club sign-in process from 1 January 2021 to 31 July 2023.
 
We have been informed that data held by the provider has recently been taken and posted onto the internet.
 
We have notified the Office of the Australian Information Commissioner, the Australian Cyber Security Centre and NSW Government of the incident.
 
We have commenced an investigation into the incident. We are working with the provider to identify the extent to which any data relating to Hornsby RSL Club, including any personal information may be involved.
 
We will provide a further update as our investigations progress.
 
At this stage we ask you to remain alert to suspicious activity or communications, including any communications purporting to come from us. Please do not respond to or continue with any suspicious communication until you have taken steps to verify it is legitimate using trusted and reliable information.
 
Please also let us know immediately if you see or receive anything suspicious, particularly if it is said to originate from us. If you believe you have become a victim of cyber-crime, please report the incident on the Australian Cyber Security Centre Website at www.cyber.gov.au.
 
Further information about online safety, cyber security and other helpful tips can be found at the Australian Cyber Security Centre website or the ACCC’s Scamwatch website.
 
We deeply regret any distress, concern or inconvenience this has caused.

Hornsby RSL

The clubs listed by the developers are below, however again, this list has not been validated in any way by EFTM (Update: the “Diggers” reference was vague, so we contacted the leak site operators who confirmed it was the Ettalong Diggers)

BreakersBreakers Country Club
BulahdelahBulahdelah Bowling Club
CCLCCentral Coast Leagues Club
Mex ClubMex Club Mayfield
COSRSLCity of Sydney RSL
Ettalong DiggersThe Diggers Club (Ettalong)
EMBCEast Maitland Bowling Club
ECBCEast Cessnock Bowling Club
FairfieldFairfield RSL Club
GwandalanGwandalan Bowling Club
HaliHalekulani Bowling Club
HornsbyHornsby RSL Club
IngleburnIngleburn RSL Club
MerivaleMerivale
Club Old BarClub Old Bar
Club TerrigalClub Terrigal
TradiesThe Tradies Dickson
VikingsErindale Vikings
West TradiesWest Tradies

EFTM understands Merivale do not use the systems for any checkin or sign in, but for much more infrequent purposes.

A spokesperson for Merivale told EFTM on Thursday “We are taking this matter seriously and do not believe that our customer data has been compromised in this third-party data breach, based on the information available to us at this time.” 

NSW Police tonight confirmed to EFTM they are investigating, a spokesperson saying “Officers from the State Crime Command’s Cybercrime Squad are investigating a potential data breach. As the investigation is ongoing, no further information is available at this time.”