What happened
In May 2024 data collected by Outabox — a vendor that supplies sign-in and facial-recognition systems to clubs and pubs — was posted online, reportedly exposing more than a million people who had signed in at around 19 NSW venues. The exposed data was reported to include facial-recognition biometrics, driver licence scans, signatures, home addresses, dates of birth, club membership details and gaming-machine usage [outabox-acs], [outabox-reg].
Timeline
- 2024-05-02 — Reports emerged that patron data had been posted to a leak site by people claiming to be Outabox subcontractors; that claim could not be independently verified [outabox-acs].
- 2024-05 — Outabox acknowledged a potential breach; NSW Police opened an investigation [outabox-acs], [outabox-reg].
Current status
Under investigation. The count of “over 1 million” is treated here as a reported minimum. The origin of the leak — a purported unpaid-subcontractor dispute — remains unverified [outabox-acs].
Why it matters
One of Australia’s most significant biometric-data exposures: facial-recognition templates and licence scans cannot be reissued like a password, and the incident sharpened the national debate over how venues collect and store biometric identity data.