A man has been arrested after sensitive details of more than a million customers who visited licensed venues in New South Wales were exposed in a major security breach.
New South Wales Police were alerted to a website that had published details of customers who used their driving licenses to check into 17 clubs and discotheques across the state.
Those whose data may have been compromised reportedly include prominent politicians.
Officers from the State Crime Command’s Cyber Crime Squad formed the Strike Force Division and worked closely with federal and state agencies to contain the breach.
Following extensive investigations, detectives raided a Fairfield West home in Sydney’s southwest on Thursday afternoon and arrested a 46-year-old man.
He was taken to Fairfield police station, where he is expected to be charged with blackmail.
Dramatic footage of the raid released by police showed 10 armed police officers storming a house on a quiet suburban street to carry out the execution.
They were followed by plainclothes detectives.
Officers from the NSW Cyber Crime Team arrested a 46-year-old man during a raid in Fairfield West on Thursday afternoon.
Dozens of officers raid Fairfield West home in south-west Sydney
Detective Chief Superintendent Grant Taylor said the breach had been active for “a number of days” but “only became known to the public in the last 24 to 48 hours”.
“We believe it is a breach by a third-party vendor,” he told reporters.
Seventeen locations were affected by the breach which police believe was compromised when a third-party IT provider hired to collect the data sent it overseas to another contractor.
Registered clubs are required by law to document and store the personal details of customers entering their premises in New South Wales.
One club affected by the data breach posted on Facebook that it used the provider from January 2021 to October 2022, but no longer used its services.
Club Old Bar said it had launched an investigation and was working with the supplier to identify the extent to which data relating to the club might be involved.
Third-party IT company Outabox said it was investigating the possible breach by an “unauthorized third party from a login system” and had alerted authorities.
“We are limited by the amount of information we can provide at this time, given that he is currently under active police investigation,” he said.
Investigators overloaded the site Thursday to prevent future records searches.
The records were posted online, with allegations that software developers hired in the Philippines had not been paid.
NSW Detective Superintendent Grant Taylor (pictured) said the sensitive data was posted online days ago but had only been detected in the past 48 hours.
Some affected clubs had already broken contracts with Outabox, even in one case because it sent data abroad.
Police urged concerned customers to wait until they are informed they have been affected by the breach before changing any details.
NSW Gaming Minister David Harris admitted the breach was worrying.
“We are really concerned about the potential impact on people and will encourage clubs and hospitality venues to notify customers whose information could be affected,” Harris said.
The exposed records include visit data, which means that some of the million records will be nearly duplicates.
The Gambling Reform Alliance said the breach could have been prevented by a centralized, secure system of universal cashless gaming cards.
“This breach highlights how irresponsible clubs are and how messy they are with the mountain of private information they routinely collect from the public, without direct consent,” said CEO Carol Bennett.
Federal and state police worked with the Cyber Crimes Team to gather information and locate the man who is expected to be charged with blackmail.
Cyber Crime Squad Commander, Acting Detective Superintendent Gillian Lister, issued a timely reminder urging everyone to protect their confidential information.
‘Now is the optimal time to ensure your cyber hygiene is good; “You have strong passwords and use two-factor authentication wherever possible,” Detective Lister said.
‘If you believe your data may have been compromised, take extra care when checking emails or text messages and never click on a suspicious or unknown link.
“Always ensure you report cybercrime incidents through the Australian Cyber Security Center or Scamwatch.”