The digital age has brought a host of conveniences, but as we've been reminded yet again, it also carries significant risks.

The latest incident to send shockwaves through the community is a major data breach that has left ClubsNSW, the peak body representing clubs and Returned and Services Leagues (RSLs) in New South Wales, ‘deeply concerned’.

This breach has potentially exposed the personal details of over a million Australians, including prominent politicians who have visited various clubs nationwide.

The breach was discovered when developers subcontracted by the company that provides sign-in systems for these clubs claimed they had the option of publishing visitor details online.

This alarming revelation has prompted an investigation by the NSW Police.

ClubsNSW issued a statement this morning, acknowledging the breach and its potential impact on patrons' privacy.

ClubsNSW was ‘deeply concerned’ after a third-party data breach affected its systems. Credit: ClubsNSW

‘ClubsNSW has been made aware of a cybersecurity incident involving a third-party IT provider commonly used by hospitality venues, including fewer than 20 clubs,’ a ClubsNSW spokesperson said in a statement.

'While limited information is currently known, we understand that some personal information of patrons of the clubs that use this IT provider may have been compromised.’

The affected clubs are now scrambling to notify all impacted patrons, and ClubsNSW has assured that the 'appropriate authorities' have been notified and that affected clubs are being offered support.

Club patrons were also warned to be cautious of unfamiliar texts or emails, especially with website links.

The situation was brought to light by 2GB Breakfast host Ben Fordham, who described the unfolding breach as ‘causing a lot of worry in the NSW parliament’.

‘There is a company that has allegedly not paid some software developers in the Philippines,’ Fordham said.

‘Those software developers have now put up their own website, and they've essentially said, “We were given access to all of these systems, our bills haven't been paid in a year and a half, and we're not happy about it”.’

The website set up by these developers claims to have a vast array of personal data, including 'facial recognition biometric, driver licence scan, signature, club membership data, address, birthday, phone number, club visit timestamps, slot machine usage’.

‘The developers were given access into back-end systems at these gaming venues and were given responsibility to maintain the systems and instructed to backup the data into the cloud,’ it said.

‘Developers were given access to raw data without any oversight...Then [the company] suddenly cut the developers off and refused to pay for a year and a half of work.’

West Tradies in Mt Druitt, City of Sydney RSL and Fairfield RSL were among those involved.

It’s understood that ClubsNSW has had an emergency meeting to address the breach, and the bar giant Merivale has also been reported to be affected.

The NSW Police Cybercrime Squad were ‘investigating a potential data breach’.

In a similar story, a Woolworths popular payment feature was temporarily suspended after a security breach.

Everyday Pay users have been said to be personally targeted by scammers, which led to them providing details to them. You can read more about the story here.

Key Takeaways

• ClubsNSW has discovered a third-party data breach potentially exposing visitor details, including those of prominent politicians.
• Personal information from attendees at fewer than 20 clubs using the compromised IT provider may be at risk.
• The breach involves a subcontractor who has allegedly not been paid, leading to threats of wider data release.
• NSW Police's Cybercrime Squad is investigating the breach, with ClubsNSW and affected venues responding to the situation.

Have you been affected by this or a similar data breach? How do you protect your personal information in the digital age? Share your thoughts and experiences in the comments below.

 

[marni]

We give our information so readily. Why is this information not wiped after use

 

[Rob44]

Just toddled down to the local clinic which had sent 4 bizarre emails to my wife asking for email address, password and for her to pay a week in advance for a telehealth appointment. The receptionist to whom we spoke firstly tried to speak over my wife thus indicating her unwillingess to listen to a patient, then she said that the 4 bizarre emails came from the clinic and then she said that they weren't scams. How could she tell the difference in the space of a couple of minutes between a truee request for personal information and a scam request for such?

The emails were all SMS messages on her mobile phone and had the famous link in blue to enable one to give away one's personal info without much thought. The messages also included the threat to cancel the telehealth appointment if my wife did not reply within a very short time.

The site these emails came from is the one with "hotdocs" in its name. No you can't have my wife's email address; no, you can't have her password; no, you won't get paid in advance; and no, you can't have my wife's credit card number in advance of final payment on the day of the appointment. That's OUR system.

 

[Fozz]

We give our information so readily. Why is this information not wiped after use

I have asked clubs where the information is stored and have never had a satisfactory answer. Whoever allowed member and patron information to go offshore without the permission of the owners of that information needs prosecuting, if possible under our outdated laws. Whoever employed the developers in Australia should be investigated as well. Outsourcing to the Philippines is purely done to save money. The security risks are too high. The other question is why the Philippine company hasn't been paid as claimed?

 

[Greg350]

I have asked clubs where the information is stored and have never had a satisfactory answer. Whoever allowed member and patron information to go offshore without the permission of the owners of that information needs prosecuting, if possible under our outdated laws. Whoever employed the developers in Australia should be investigated as well. Outsourcing to the Philippines is purely done to save money. The security risks are too high. The other question is why the Philippine company hasn't been paid as claimed?

Going offshore is irrelevant, it could be going next door or around the world. They caught the person involved, Fairfield NSW

 

[Greg350]

Just toddled down to the local clinic which had sent 4 bizarre emails to my wife asking for email address, password and for her to pay a week in advance for a telehealth appointment. The receptionist to whom we spoke firstly tried to speak over my wife thus indicating her unwillingess to listen to a patient, then she said that the 4 bizarre emails came from the clinic and then she said that they weren't scams. How could she tell the difference in the space of a couple of minutes between a truee request for personal information and a scam request for such?

The emails were all SMS messages on her mobile phone and had the famous link in blue to enable one to give away one's personal info without much thought. The messages also included the threat to cancel the telehealth appointment if my wife did not reply within a very short time.

The site these emails came from is the one with "hotdocs" in its name. No you can't have my wife's email address; no, you can't have her password; no, you won't get paid in advance; and no, you can't have my wife's credit card number in advance of final payment on the day of the appointment. That's OUR system.

You said "emails" were sent, next you say they were SMS's, so which were they? And the "famous link in blue"? What's that mean?

This is very simple - If they are emails check the address they CAME FROM. If they are SMS's PHONE the clinic to confirm they are real or not. You can also phone them if you are not sure about the emails.

 

[Rob44]

"You said "emails" were sent, next you say they were SMS's".

Same damned thing to me, thanks. Someone sent 4 messages within half an hour to my wife's mobile 'phone; whether it was typed in by fingers using those little buttons on the 'phone or was voice mail or even typed in via a computer's keyboard is irrelevant. They were aggressive, invasive and asking for far too much personal information of the sort that scammers seem to enjoy and, which if a scam and answered, would have led (among other things) to the smartarses in these columns blaming my wife for a fool had we lost our bank accounts etc.

As for how we handled the business, that is our business and if those messages were scams with fake links included in blue type then how on earth can a busy receptionist, who clearly did not give a rat's backside about our face-to-face enquiry, prove in about 2 minutes that they were not? It appears from her information that HotDocs is a private company being used by certain medical clinics to "outsource" billing and notices to patients concerning appointments or something. Australia Post is a government entity, and yet scammers can use the Australia Post imagery to scam people. Thus "HotDocs" is the type of web-site that can also be "borrowed" to provide scam messages. It is that simple. As for their aggressive, threatening "business model" of dealing with patients using a clinic's medical services, "HotDocs" can get stuffed. Perhaps it is time to change GP.

P.S. Plurals are not indicated as such by the genitive apostrophe; SMSs is the correct form.

 

[Greg350]

"You said "emails" were sent, next you say they were SMS's".

Same damned thing to me, thanks. Someone sent 4 messages within half an hour to my wife's mobile 'phone; whether it was typed in by fingers using those little buttons on the 'phone or was voice mail or even typed in via a computer's keyboard is irrelevant. They were aggressive, invasive and asking for far too much personal information of the sort that scammers seem to enjoy and, which if a scam and answered, would have led (among other things) to the smartarses in these columns blaming my wife for a fool had we lost our bank accounts etc.

As for how we handled the business, that is our business and if those messages were scams with fake links included in blue type then how on earth can a busy receptionist, who clearly did not give a rat's backside about our face-to-face enquiry, prove in about 2 minutes that they were not? It appears from her information that HotDocs is a private company being used by certain medical clinics to "outsource" billing and notices to patients concerning appointments or something. Australia Post is a government entity, and yet scammers can use the Australia Post imagery to scam people. Thus "HotDocs" is the type of web-site that can also be "borrowed" to provide scam messages. It is that simple. As for their aggressive, threatening "business model" of dealing with patients using a clinic's medical services, "HotDocs" can get stuffed. Perhaps it is time to change GP.

P.S. Plurals are not indicated as such by the genitive apostrophe; SMSs is the correct form.

Phone to confirm, simple. If not real just delete.

HotDocs is used by many practices now, of course others can use their name to send messages, just like any company/business can be copied. It's 2024, that's life, you just need to be vigilant.

 

[Rob44]

"you just need to be vigilant"

Indeed; we were. As for HotDocs; it is a company that needs to learn common courtesy that does not demand credit card details, password and advance payment for a service not yet delivered lest the future service will be terminated in the next 90 minutes. That is not OUR business model.

 

[Greg350]

"you just need to be vigilant"

Indeed; we were. As for HotDocs; it is a company that needs to learn common courtesy that does not demand credit card details, password and advance payment for a service not yet delivered lest the future service will be terminated in the next 90 minutes. That is not OUR business model.

They did not instigate that, the clinic did. HotDocs is just the "mailman", the go-between and why would the clinic want a password, that does not sound correct and sounds very much like a scam. My wife and I use the HotDocs app regularly and have never had issues with them

 

[Rob44]

They did not instigate that, the clinic did. HotDocs is just the "mailman", the go-between and why would the clinic want a password, that does not sound correct and sounds very much like a scam. My wife and I use the HotDocs app regularly and have never had issues with them

Thank you. We had never heard of "HotDocs" before this incident. Personally, I cannot see why any medical clinic needs a billing /appointments agency when they employ receptionists to use computers.

But then, we have all experienced the banking industry's cost-cutting practices.

 

[Greg350]

Thank you. We had never heard of "HotDocs" before this incident. Personally, I cannot see why any medical clinic needs a billing /appointments agency when they employ receptionists to use computers.

But then, we have all experienced the banking industry's cost-cutting practices.

You go onto the site and can see when your doctor is available months ahead, if your doctor is not available you may want to pick another, all their times are there. You manage the booking, cancel, book another appointment, etc. Only one account is required, can book for both people, pick the appointment time you want (Level B, C etc) and can look up when your appointment is when you forget if it's 2.00 or 2.30. When you turn up at the clinic you can login, sit down and say you are there. And it sends a reminder the day before that you have an appointment tomorrow.

 

[Phillip Giunta]

My experience has been this; I have found about 30% of people are born innocent, and in time turn into Scum Bags pieces of Garbage. Like this current Data Breach. May the Guilty Ones burn constantly inside.

 

[Rob44]

Why do medical centres need receptionists?