Outabox data breach exposes 1m biometric records

Occurred: May 2024

Report incident ๐Ÿ”ฅ | Improve page ๐Ÿ’ | Access database ๐Ÿ”ข

A data breach involving Australian facial recognition company Outabox raised serious privacy concerns and prompted investigations by authorities, including police and federal agencies.

Apparently disgruntled former Outabox employees created a website called 'Have I Been Outaboxed' containing one million facial recognition biometric, driver's license scan, signature, club membership information, addresses, birthdays, phone numbers, club visit timestamps, and slot machine usage records from 19 clubs and bars in New South Wales and the Australian Capital Territory operated by ClubsNSW.

Outabox had introduced facial recognition kiosks in response to the COVID-19 pandemic, which scanned visitors, checked temperatures, and identified problem gamblers. Australian cybersecurity expert Troy Hunt suggested that while the breach is concerning, the biometric data may not pose a significant risk if the data is not in the form of usable templates.

Outabox acknowledged unauthorised access to a client login system and said it is cooperating with law enforcement in the investigation. New South Wales police made an arrest in connection with the breach, suspecting it to be either blackmail or corporate sabotage.ย 

System ๐Ÿค–

Documents ๐Ÿ“ƒ

Operator:
Developer: Outabox
Country: Australia; Philippines; USA
Sector: Travel/hospitality
Purpose: Identify bar/club users
Technology: Facial recognition
Issue: Privacy; Securityย