A man has been charged with blackmail after threatening to share the personal data of more than one million club patrons.
Subscribe now for unlimited access.
or signup to continue reading
The 46-year-old was arrested in Fairfield West on May 2 by Cybercrime Squad detectives investigating the alleged data breach.
Police were first alerted on May 1 to a website where the personal information of club patrons from 17 venues in NSW and the ACT had been published.
The data breach involved a third-party IT provider called Outabox used by venues for digital sign-in services.
The City of Sydney, Fairfield, Hornsby and Ingleburn RSL clubs were all listed as being affected by the breach.
Other venues named include Breakers Country Club in Wamberal, Buladelah Bowling Club, Central Coast Leagues Club, Mex Club Mayfield, East Maitland Bowling Club, East Cessnock Bowling Club, Gwandalan Bowling Club, Halekulani Bowling Club, Club Old Bar, Club Terrigal, West Tradies in Dharruk, and The Tradies Dickson and Erindale Vikings in the ACT.
Hospitality operator Merivale has also been named.
NSW Police Serious Crime Directorate detective chief superintendent Grant Taylor said on May 2 police were focusing on "strong lines of inquiry in Australia" but were also looking at individuals overseas.
Superintendent Taylor said "portions" of drivers' licences, not the "totality", had been hacked and police were close to "successfully" shutting down the website they were posted to.
He urged people not to change their drivers' licence unless they had been identified on the website.
"We are working with state and federal partners to disrupt that website, we have been relatively successful to do that and we hope to see that the website is shutdown very soon," he said.
Australia's Cyber Security coordinator lieutenant general Michelle McGuinness described the breach as "distressing" on X.
"I know this will be distressing for those who have been impacted and we are working as quickly as we can, alongside Outabox, to ascertain the full scale of the breach," she said.
"We are working closely with the NSW and ACT governments on behalf of the impacted clubs and venues."
In NSW registered clubs are required by law to collect personal information from patrons entering the venue.
In a statement on its website Outabox said it had notified the relevant authorities and were "working as a priority to determine the facts around [the] incident".
"We are restricted by how much information we are able to provide at this stage given it is currently under active police investigation," the company said.
"We will provide further details as soon as we are able to."
Bulahdelah Bowling Club is one of the venues named in the breach and said it had previously used Outabox for its electronic sign-in system but hadn't been associated with the company for "several months".
"We are hoping that the impact on our club will be minimal or zero, given that we no longer deal with Outabox," the club said on Facebook.
"However, if we discover that the data breach has had any effect on our club or our members, we will advise further."
Meanwhile East Maitland Bowling Club told its customers it had never used the services of Outabox and was investigating the matter.
Commonwealth, ACT and NSW governments alerted to risks
Customers who believe they may have been affected can contact ID Support NSW on 1800 001 040 or by using an online form.
A spokesperson for ClubsNSW, which represents more than 1200 member clubs, said it was "deeply concerned" about the security of data caught up in the breach.
"While limited information is currently known, we understand that some personal information of patrons of the clubs that use this IT provider may have been compromised," the spokesperson said.
"The clubs concerned are working towards notifying all impacted patrons."
The spokesperson said ClubsNSW had met with all affected clubs, of which there were "fewer than 20".
"We wish to assure club members that additional updates will be provided once further details are confirmed," the spokesperson said.
"In the interim, club patrons are advised to take extra caution when reviewing emails or texts and to avoid clicking on any suspicious or unfamiliar links."