NSW Police cybercrime investigators say they are working to have a website “disrupted” or “shut down” that contains the details of visitors to licensed clubs in NSW and the ACT.
The breach involves a supplier of sign-in and identity capture technology that is used by the venues and could impact up to 1 million people, NSW Police said.
NSW Police have set up what it is calling Strikeforce Division to investigate the breach.
ClubsNSW has acknowledged the breach in a statement on its website.
“ClubsNSW has been made aware of a cyber security incident involving a third-party IT provider commonly used by hospitality venues, including 16 clubs,” it said.
“While limited information is currently known, we understand that some personal information of patrons of the clubs that use this IT provider may have been compromised.”
NSW Police said in a briefing on Thursday afternoon that “portions of driver’s licenses, not necessarily the totality of that licence, were made accessible via an internet site”.
It said that cybercrime investigators had been able to limit some data being accessed but did not say how.
“We’ve been working with our state and federal partners and also international partners in order to take down that website, and at the very least to disrupt that website and to stifle the ability for information of members of the public who have utilised those clubs and their data to be released to the wider community,” NSW Police detective chief superintendent Grant Taylor said.
“We believe we’ve been relatively successful in regards to that to this point in time. We hope to see that that website will be shut down very soon, but at the moment it is very much limited to very set data, and not the totality of the data that it was able to be looked at earlier in the last 24 hours.
“We have limited the capacity for that information to be released to the public.”
The NSW government separately said it is “concerned about the potential impact on individuals” caught up in the breach, and that it is involved in the incident response.
“NSW government agencies are working with Commonwealth and ACT Government agencies as part of the response,” it said.
It “encouraged clubs and hospitality venues to notify patrons whose information is affected” as soon as possible.
NSW Police said that people should wait for specific advice on being caught up in the breach before trying to have their driver’s licence reissued.
Taylor said NSW Police had “several lines of very strong inquiry” in relation to the incident.
“The Strikeforce has already made significant headway and at this stage, we hope for some very early results,” he said.
One of the lines of inquiry is whether the alleged leakers of the data are based in Australia or overseas.
“Most certainly at this stage, we’re focusing our energies and our investigative processes here in Australia, but we most certainly are engaging other agencies, other companies and website controllers in other countries throughout the world,” Taylor said.
He added: “We have persons of interest in our inquiries. We are following up with those persons of interest, and we hope that those persons of interest will help us identify who the perpetrators are who have committed this act.”
