In one of the more remarkable data breaches of late, details of more than a million visitors to clubs in New South Wales have been posted on the web, including those of senior state government officials.
The incident took place after what appears to be a payment dispute between an IT provider and developers in the Philippines.
When the developers didn’t get paid, they are said to have set up a searchable web site, on which anyone could look up names of the people involved in the data breach.
The devs have now stood up “Have I Been Outaboxed” that allows you to search by name and see the club the person signed into along with partially redacted DoB and home address
— Troy Hunt (@troyhunt) May 1, 2024
In NSW, clubs are required to scan patrons’ faces and match them to their drivers’ licences.
The representational body for clubs in the state, ClubsNSW with 1200 members, has confirmed the breach, saying:
“ClubsNSW has been made aware of a cybersecurity incident involving a third-party IT provider commonly used by hospitality venues, including 17 licensed clubs. While limited information is currently known, we understand that some personal information of patrons of the clubs that use this IT provider may have been compromised.”
The NSW Premier Chris Minns, Deputy Premier Prue Car and Police Minister Yasmin Catley, had their details breached in the incident.
NSW Police acted fast to set up a task force to investigate the data breach, and have already arrested and charged a 46-year-old man for blackmail, and searched his premises. The bad news is that once the data has been posted on the internet, it’ll likely remain there and could be abused for identity theft and harassment.
Drivers’ licences exposed in the data breach will need to be replaced.
I asked Troy Hunt who runs the HaveIBeenpwned website that helps people discover if their credentials have been compromised, if the Outabox data should’ve been allowed to leave Australia:
"With the caveat that this is really a question for a data sovereignty lawyer: it depends on various factors, for example health data has some of the strictest data sovereignty and residency requirements in Australia," Hunt said.
"My Health Records and all associated data, including back-ups, must never be processed, held, taken, or handled outside of Australia," he added.
"As far as I know, there are no controls on the classes of data Outabox collected as far as sovereignty is concerned, nor are there controls on where the people managing it are located. As for whether there should be or not, were the same thing to happen if the developers were located in Australia it really wouldn’t change the outcomes we’re dealing with today," Hunt said.
Meanwhile, Australian authorities are warning people that dealing with information in data breaches is illegal, and are asking people to refrain from doing so.
5 Comments
Which makes me wonder whether interest.co.nz has our identities secured?
I suspect they're be a few who post that would be less than happy should their identifies be matched with their comments. ;-)
(interest.co.nz please feel free to remove this post once the ramifications are understood.)
It depends.
1. Never use the same password as your email account.
One company I saw captured the passwords in plain text (this was against the default of the db setup so the devs actually expended effort to make sure the passwords were plain text) and then you could use the password to log into customers email accounts (because so many people still use the same passwords)... I brought this to management notice after I started working on the clients system and discovered it... it surprised me that for the years before my work on that clients system no one else in the team had brought it to the managers attention that full email account access for many customers was being captured. A toxic workplace and undervalued engineering staff usually means that security and tech failures are abound and are very costly to fix. I suspect previous devs were scraping customers email accounts for identity theft or just regular theft in general.
2. Ideally use a different email address for each key task or service. E.g. a different email for banking, a different email for your family & friends, a different email for comments online, a different master email. If one is corrupted then the others should have enough security separation or protections that the others are still mostly safe. If the master is corrupted have a 2 or even 3 way login factor e.g. 2 factor with an additional back up login key, token that they literally could not gain access to remotely.
3. Normally no site should store payment information, or details instead deferring to more secure services. However evaluating them is a big task.
4. Also it bears repeating because of the frequency: Never use the same password as your email account (and set up multi factor logins).
So lets start with the 4 steps and it does not matter what information interest has at all. If fact the comment history is more likely to reveal private details.
All good advice, Pacifica, but only if humans behave like machines. Humans don't, and aren't machines. Good security takes account of human's preferences for simplicity. And so it should. We also expect, that when we entrust our identities with 3rd parties, they protect the information we have provided in confidence..
Absolutely agree, customers should be able to trust services and companies with data, but the state of data security & tech industry is so bad with so many cowboys, being marketing and management top heavy, you really cannot trust a single one. https://xkcd.com/2030/ appropriate short humorous cartoon slide on topic
It is obvious the clubs in this case had no data security team left and no review of their IT. As so often happens companies skint on the engineering but spend large on marketing & management.
A key in most cases it is imperative to capture as little data as possible. If a business cannot guarantee security of the chain in data capture and storage don't collect that data.
If you have to cut your in house engineering experience, e.g. small mid size company that uses only consultants, IaaS, PaaS or SaaS then it pays to have a good review of their security measures and team. Management needs to be more aware of data security & tech then of accounting these days. As many accounting tasks can be delegated & automated to more applications e.g. MYOB, Xero, innumerable payroll apps etc but the review of tech, data storage and applications never can be, (including the security review of your accounting tools, good governance for financial payments & invoicing and the handling of staff data).
Having services based in the same country or one that has agreements & laws to make it easier for legal prosecution for data theft & loss is good. Don't just look at the website design, (that is possibly the least important when you consider the threat of business financial loss, customer data loss and customer financial data loss). Also never assume back office and store data is secure because it is in a locked facility at night. Staff should also be completely aware & use data security tools in the office, including home offices. Hard copy customer data should be as secure as digital, with both having a limited chain of people & services it passes through and restricted access (the number of GP application forms that go "missing" would also worry anyone). Deciding on a payment provider to tie in and the data security checks should occupy as much if not more time then the marketing approaches.
Sadly for many people the data security is completely ignored and they will agonize about design, fonts and the first ad campaign for weeks. Before they know it they will have customers sharing their primary email passwords with any service and allow storage & loss of payment information or enough private information to open accounts (e.g. the stolen drivers ID data... not having adequate security for those details along with a recent photo is all a criminal will need to setup a loan or trading account in a moderate security check bank/exchange).
If you have to provide your birthday to apps or social services pick one that is not your actual birthday (that is used for identity verification of financial & medical services), often the security checks on accounts over support services are still limited as we have poor customer service training in NZ and when outsourcing to overseas CS it is absolutely abominable. Your address can also be publicly registered and widely known in your network group that can be leaked but ideally you should try to limit sharing that information as much as possible.
Normally you would expect a large fine and/or a large prison sentence to discourage things like this as they can lead to permanent risk of destitution via identity theft and even death of people; where people are targeted via private details who may have valid reasons not to disclose them e.g. escaping abuse, being free from blackmail, being free from being racially targeted or even death from such things like being targeted because you are better at a computer game then them (seriously this has happened often these days).
Those who should be held to account are both the clubs (for not managing any level of data security and being extremely lax with customer private data to the point of severe company crushing fines, managers scalps should be in order), to the developers overseas. But in truth neither may see much punishment. It really depends on international relations if the developers are held to any account. Oh dear they lost their paying jobs; yeah that was the point they started at. The clubs who handed severely private customer data (enough to infinitely set up multiple false bank loans and accounts) to anyone claiming they were a "developer" overseas... seriously did brain slugs eat the part of their brains that evaluates consequences and limits impulsivity. Was there no one who could explain why data security is important and that access & storage should be limited. Oh wait yes there was no one; they fired all their in house engineers and went to hire overseas developers instead...
They do the same thing right /sarc
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.