Outabox Data Breach

High-level Summary of the Security Advisory

Outabox Solutions, located in Sydney, Australia, caters to the Gaming and Hospitality Industry by crafting custom digital media experiences to enhance customer engagement. Their offerings include a suite of products like AppBox, a platform for managing media, integrated applications, and signage; BoxPlayer, a digital signage player for displaying media content; cloud-based advertising & marketing solutions to streamline advertisement management; WiFi & Networking Solutions for designing and implementing business networks; and custom Gaming Industry reporting solutions that provide valuable insights to their clientele. 

During the recent pandemic, Outabox took measures to assist their clients in safely reopening their businesses. Understanding the challenges posed by the global health crisis, Outabox introduced facial recognition technology as part of its TriAgem Facial Recognition Kiosk. This innovative solution scans for temperature and verifies members, providing a contactless sign-in process. Now widely adopted in various pubs and clubs across Australia, this technology ensures a seamless and secure entry process for patrons while adhering to health and safety guidelines.

On May 2, 2024, Outabox was implicated in a data breach that reportedly exposed the personal information of over a million Australians who visited local pubs and clubs. According to The Register, an anonymous leak site claimed to possess this data, including individuals' names, partial addresses, dates of birth, and the venues where the information was collected. The site offered a search facility where people could find individuals' names and view this information. The leaked site alleged that the records originated from Outabox, as their sign-in kiosks were used to collect the information from patrons at these venues. Furthermore, the site claimed that Outabox outsourced software development and granted offshore coders access to sensitive data collected by gaming venues, including facial biometrics, driver's license scans, and club membership details. It was also alleged that Outabox instructed these developers to back up the data in public cloud storage.

According to The Guardian, New South Wales police are investigating the data breach involving Outabox and suspect it to be either blackmail or corporate sabotage. On the evening of May 2, 2024, police arrested a man they believe to be involved in blackmailing Outabox. Investigators are looking into whether the anonymous website was set up by this suspect. New South Wales police aim to shut down the anonymous site promptly. 

While Outabox hasn't officially disclosed the type of data potentially compromised or the number of affected individuals, they have released an official statement addressing the incident. The company acknowledges unauthorized access from a client login system and is actively collaborating with law enforcement to investigate the matter. Outabox has also notified the relevant authorities about the breach. The company promises to provide more information as soon as possible, demonstrating its commitment to transparency and addressing the issue responsibly.

Should I be concerned? 

Maybe. It depends on if you have a relationship with Outabox. Click on the link below and search for “Outabox”, “AppBox”, “BoxPlayer” and “TriAgem” to find out if you have a relationship with this vendor. If you do, follow the recommendations below.

Note: this link specifically references vendor directory records. 

What to do if you or your vendors have active relationships with Outabox.

According to The Sector, it is a suspected blackmail attempt or a corporate sabotage where personal data such as names, email addresses and other details are compromised. This incident underscores the importance of prioritizing data security, especially for companies handling sensitive information. As cyberattacks become increasingly sophisticated, strong cyber hygiene and robust data security measures have become essential for mitigating such threats.

In light of the data breach at Outabox, we strongly advise all individuals and organizations to prioritize data security. It is imperative to ensure your cyber hygiene is robust by using strong passwords and enabling two-factor authentication where possible.

Additionally, exercise caution when receiving emails and text messages. Do not click on suspicious or unfamiliar links. 

These measures are essential for protecting against cyber threats and safeguarding personal and organizational data.

We also recommend staying informed by following updates from Outabox and the government authority.

---------------------------------------------------------------------------

We are actively working on future product enhancements related to these types of events. If you found this information helpful or have additional feedback, please let us know at product@visotrust.com.

For any additional questions, please reach out to your customer success manager.

The VISO TRUST team

—----------—----------—-----