Police and federal agencies are responding to a massive personal data breach linked to a facial recognition system that was deployed in bars and clubs across Australia. The incident highlights emerging privacy concerns as AI-based facial recognition is increasingly used everywhere from shopping malls to sporting events.
The affected company is Outabox, based in Australia, which also has offices in the United States and the Philippines. In response to the Covid-19 pandemic, Outabox launched a facial recognition kiosk which scans visitors and checks their temperature. The kiosks can also be used to identify problem gamblers who have signed up for a self-exclusion initiative. This week, a website called “Have I Been Outaboxed” emerged, which claims to have been created by former Outabox developers in the Philippines. The website asks visitors to enter their name to check whether their information had been included in an Outabox database, which the site said had lax internal controls and was shared in an unsecured spreadsheet. Claims to have over 1 million records.
The incident has irritated privacy experts who have long alarm bells on the advancement of facial recognition systems in public spaces such as clubs and casinos.
“Sadly, this is a horrible example of what can happen as a result of implementing privacy-invading facial recognition systems,” Samantha Floreani, chief policy officer at nonprofit Digital Rights Watch, tells WIRED. Australian-based privacy and security company. “When privacy advocates warn about the risks associated with surveillance systems like this, data breaches are one of them.”
According to the Have I Been Outaboxed website, the data includes “biometric facial recognition, driver’s license [sic] scanning, signature, club membership data, address, date of birth, telephone number, club visit timestamps, slot machine use.” Claims Outabox exported “full membership data” from IGT, gaming machine supplier. IGT vice president of global communications Phil O’Shaughnessy tells WIRED that “the data affected by this incident was not obtained from IGT” and that the company would work with Outabox and authorities.
The website owners posted a photo, a signature, and a redacted driver’s license belonging to one of Outabox’s founders, as well as a redacted screenshot of the alleged internal spreadsheet. WIRED was unable to independently verify the identity of the website owners or the authenticity of the data they claimed to hold. An email sent to an address on the website was not returned.
“Outabox is aware of and responding to a cyber incident potentially involving some personal information,” an Outabox spokesperson tells WIRED. “We have been in communication with a group of our customers to inform them and outline our strategy for responding. Due to the current Australian crisis police investigation, we are unable to provide any further information at this time.”
New South Wales Police confirmed to WIRED that it was investigating a data breach on Wednesday, but a spokesperson declined to share further details. Thursday, the force announced that, working with federal and state agencies, arrested an unnamed 46-year-old man in a Sydney suburb. He is expected to be charged with blackmail.