🔒breach.co.nz · the NZ & Australia breach register 🛡️ A Govern service
Register › 🇦🇺 AU › Technology

Outabox (NSW clubs & pubs)

🇦🇺 New South Wales · Outabox · Record AU-2024-0190
○ Reported — awaiting official confirmation
Reported — awaiting official confirmation. The facts below are drawn from the organisation's own disclosure and credible reporting. Figures are as reported; unknowns are labelled, not estimated by us.
People affected
1,000,000+
Breach date
2024-05
Regulator
NSW Police; OAIC
Trust tier
B · Reported

Data exposed

Facial-recognition biometrics and driver licence scans Media-reported
Signatures, home addresses and dates of birth Media-reported
Club membership and gaming-machine usage data Media-reported

Confidence: Confirmed = regulator/court · Company-confirmed = the organisation's own disclosure · Media-reported = press. Figures without an official source are labelled, not estimated.

What happened

In May 2024 data collected by Outabox — a vendor that supplies sign-in and facial-recognition systems to clubs and pubs — was posted online, reportedly exposing more than a million people who had signed in at around 19 NSW venues. The exposed data was reported to include facial-recognition biometrics, driver licence scans, signatures, home addresses, dates of birth, club membership details and gaming-machine usage [outabox-acs], [outabox-reg].

Timeline

  • 2024-05-02 — Reports emerged that patron data had been posted to a leak site by people claiming to be Outabox subcontractors; that claim could not be independently verified [outabox-acs].
  • 2024-05 — Outabox acknowledged a potential breach; NSW Police opened an investigation [outabox-acs], [outabox-reg].

Current status

Under investigation. The count of “over 1 million” is treated here as a reported minimum. The origin of the leak — a purported unpaid-subcontractor dispute — remains unverified [outabox-acs].

Why it matters

One of Australia’s most significant biometric-data exposures: facial-recognition templates and licence scans cannot be reissued like a password, and the incident sharpened the national debate over how venues collect and store biometric identity data.

GGOVERN Tabletop Exercises · Govern house Strengthen your cyber resilience — rehearse the decisions that matter. Book a Discovery Call →