A data breach involving Australian facial recognition company Outabox raised serious privacy concerns and prompted investigations by authorities, including police and federal agencies.

Apparently disgruntled former Outabox employees created a website called 'Have I Been Outaboxed' containing one million facial recognition biometric, driver's license scan, signature, club membership information, addresses, birthdays, phone numbers, club visit timestamps, and slot machine usage records from 19 clubs and bars in New South Wales and the Australian Capital Territory operated by ClubsNSW.

Outabox had introduced facial recognition kiosks in response to the COVID-19 pandemic, which scanned visitors, checked temperatures, and identified problem gamblers. Australian cybersecurity expert Troy Hunt suggested that while the breach is concerning, the biometric data may not pose a significant risk if the data is not in the form of usable templates.

Outabox acknowledged unauthorised access to a client login system and said it is cooperating with law enforcement in the investigation. New South Wales police made an arrest in connection with the breach, suspecting it to be either blackmail or corporate sabotage.