Incident Summary
It’s being reported across major news outlets (https://www.9news.com.au/national/data-breach-clubs-nsw-visitor-details-exposed/227f6e36-7913-47c5-8efc-880c32755a61) this morning that a major data breach of Club information has occurred.
It’s alleged that data includes facial recognition, driver licence details, signatures and addresses.
Gaming information appears to have been leaked as well via the IGT API, given each API key is limited by Club, this limits the amount of data exposed via the IGT API (Gaming Interface).
The source of the data breach appears to be the Outabox sign in system with claims the software developers (who were based overseas), who not paid for over a year, released the information.
Who’s affected?
At this stage this only affects Clubs that run the Outabox sign in system (Which is prominently a number of major Clubs within the Sydney region).
While the IGT API was leveraged to scrape data, the authentication for the API is typically limited on a Club-by-Club basis.
What actions need to be taken?
No Clubs in Northern NSW appear to be affected by this breach so no immediate action is required.
Broadly speaking this breach indicates one of the primary risks in relation to Cyber Security for clubs is third-party access.
Access to systems for Marketing, Outsourced player Loyalty schemes and other third-party functions that heavily utilize Member data need to be regularly reviewed and managed.
This and social engineered attacks remain the key threats that need to be actively managed in the Clubs environment.
As part of our regular Nevo Secure checks access to systems is regularly reviewed, it’s important to communicate any changes in circumstances with third-party providers (or internal staff) within a timely manner to minimize exposure to breaches of this kind.
If anyone has any questions at all please feel free to reach out.