Millions of records leaked in NSW clubs data breach

SafeWise experts have years of firsthand experience testing the products we recommend. Learn how we test and review

NSW club and pub patrons are being urged to replace their identity documents after a data breach resulted in millions of records being leaked.

Here's everything you need to know.

What happened?

Outabox, an IT provider used by more than a dozen hospitality venues and groups across New South Wales, announced earlier today that it had become aware of a potential data breach, attributed to an "unauthorised" third party.

"We are working as a priority to establish the facts around this incident, have notified the relevant authorities and are investigating in cooperation with law enforcement," Outabox said in a statement, explaining they were limited in how much information they were able to provide, given the case was still under police investigation.

Who is affected?

In NSW, it is a legal requirement for licensed clubs to collect information from patrons upon entry. Federal law states that this information must be stored securely.

Merivale, one of the largest hospitality groups in NSW, claims its venues were unaffected by the breach, but that they were "taking this matter seriously".

The following 14 venues have been confirmed by ID Support NSW as being implicated in the breach:

  • Breakers Country Club
  • Bulahdelah Bowling Club
  • Central Coast Leagues Club
  • Mex Club Mayfield
  • City of Sydney RSL
  • East Cessnock Bowling Club
  • Fairfield RSL Club
  • Gwandalan Bowling Club
  • Halekulani Bowling Club
  • Hornsby RSL Club
  • Ingleburn RSL Club
  • Club Old Bar
  • Club Terrigal
  • The Tradies Dickson
  • Erindale Vikings

A website called haveibeenoutaboxed.com claims more than one million patrons' data have been compromised, with a search bar for people to check if their information is among the leaked data. However, we recommend exercising caution using this website, as it does display some sensitive personal information (although most has been redacted).

The website also contains a number of accusations against Outabox, claiming the company gave developers access to raw data without oversight.

What to do if you've been impacted

According to cybercrime squad commander, detective acting superintendent Gillian Lister, people should take this incident as an opportunity to brush up on their "cyber hygiene".

"If you think your details may have been compromised, use extra caution when reviewing emails or texts and never click on a suspicious or unfamiliar link," she said.

Troy Hunt, Cyber security expert and creator of haveibeenpwned.com,  however, believes affected patrons should take more drastic measures.

"Drivers licenses, however, is Optus redux: they all need replacing now," he wrote on X (formerly Twitter). "Signatures and photos are obviously immutable (by any practical measure) and combined with the other personal identities (name, phone, address), are *very* useful for criminals."

Georgia Dixon
Written by
Georgia Dixon
Georgia Dixon has 10 years of experience writing about all things tech, entertainment and lifestyle. She has bylines on Reviews.org, 7NEWS, Stuff.co.nz, in TechLife magazine and more. In 2023 she won Best News Writer at the Consensus IT Awards, and in 2024 she was a finalist for Best News Journalist at the Samsung IT Journalism Awards (The Lizzies). In her spare time, you'll find her playing games and daydreaming about good food, wine, and dogs.

Recent Articles