Outabox Data Breach

Issue: User data collected by Outabox (a third party identification company that provides services to pubs and clubs within Australia) has been exposed. Affecting over 1 million Australians.

Evidence:  So far the information that we can work off regarding the breach is sourced from the website https://haveibeenoutaboxed.com/ which may or may not be the people who initially took the information. On the website you can search your first and last name to see if your information is in there. The website makes complaints that the management of Outabox did not pay overseas developers and did not enforce strict information access policies. Adding to the theory that the website admin is or is connected to disgruntled overseas developers. It does not look like any exploits, phishing or usual hacking tactics were used. This appears to be a case of outsourced developers having too much access to data and were disgruntled with their employers.

Solutions: This data leak is harder to protect yourself from then others because you can not get into certain clubs without scanning your ID upon entry. Troy Hunt from haveibeenpwned.com has already recommended people who have been caught in the breach to replace their licenses. Overseas development needs to have stricter access controls and policies applied.

Update: https://haveibeenoutaboxed.com/ have now removed the search functionality and replaced it with a message reading:

"No private data was actually disclosed publicly,and no hacking occurred.
All records have already been removed"

"We thank you for listening the whistle has been heard."

Sources:

https://haveibeenoutaboxed.com/

https://www.wired.com/story/outabox-facial-recognition-breach/

https://www.outabox.io/press_release/index.html

‍