The personal records of over a million NSW Clubs patrons have been leaked in what appears to be an intentional act of commercial revenge after IT provider Outabox allegedly failed to pay its developers. 

A 46-year old Fairfield man has now been charged with blackmail over the incident by NSW Cybercrime Squad detectives who are investigating the alleged data breach.

It is understood that the developers leaked the data as a way of getting back at the firm, making the security snafu somewhat unique to the typical third-party data breach. That’s unusual, to say the least, according to Richard Taylor, managing director of Melbourne-based CX agency Digital Balance, who posted about the situation shortly before it broke across the media.

“The cynic in me thinks the police are really investigating because their members and senior politicians have been listed in the database,” he quipped. Taylor believes that the clubs have partly fallen victim to the law.

“The problem is that the law hasn't kept up with the digital state of data and privacy. So in New South Wales, it's a requirement for licenced clubs to collect personal information and store it.

“The age of digital IDs and tokens, they should just be able to do what the police do and scan your digital driver's licence or proof of ID card. So yes, that person was over 18. If anything, they could store a token number or something, but they didn't have to store all that data.”

On an earlier LinkedIn post, Taylor wrote, “If you used a facial recognition system, had your licence scanned or signed in with your signature on a digital system to any of these clubs since 2020 your data has been leaked. If this affects you, call the venue and ask to have your data removed from the Outabox system. They had access to IGT gaming databases and exported the entire membership data, including members' addresses, birthdays, phone numbers and poker machine usage.”

NSW Clubs has said it is "deeply concerned" about the supposed breach, which is understood to have impacted individuals who have used a facial recognition system, had their license scanned or signed in with signature across almost 20 NSW Clubs venues since 2020.

The data accessed includes facial recognition biometrics, drivers license details, signatures, club membership data, address, birthday, phone number, club visit timestamps, and slot machine usage.

In a statement released on Friday morning, NSW Police said Cybercrime Squad detectives worked closely with Federal and State agencies to contain the breach and commenced an investigation under Strike Force Division which led to a search warrant and the arrest of the man at 4.20pm Thursday 2 May 2024.

The man was taken to Fairfield Police Station and charged with demand with menaces intend obtain gain/cause loss. He was granted conditional bail to appear at Fairfield Local Court on Friday 12 June 2024.