Reported Australian biometric data breach prompts arrest and hysteria

An apparent data breach of personal information including face biometrics of about a million Australians has been reported, and an arrest made.

People claiming to be former developers for Outabox in the Philippines created a website claiming they have “facial recognition biometric, driver licence [sic] scan, signature, club membership data, address, birthday, phone number, club visit timestamps, slot machine usage” data. It also says the hack is a response to Outabox’ failure to pay them for 18 months.

The data was apparently collected from 19 venues in New South Wales and the Australian Capital Territory operated by ClubsNSW. The firm had contracted Outabox, a hospitality IT provider, which is the source of the allegedly breached data. Outabox received the data from systems operated by gambling machine supplier IGT, according to the website.

The claims made on the site have not been verified.

Australia has been embracing face biometrics as a tool for enforcing responsible gaming measures like self-exclusion.

Outabox and the website claiming to share the details of the breach have released statements and responses alleging and denying poor data management practices and violations of privacy regulations.

An unnamed 46 year old man was arrested in the Sydney area and is expected to be charged with blackmail, The Australian Financial Review reports. AFR also notes that the local arrest may indicate that the website registered in the Philippines may be a ruse to throw investigators off the real perpetrators’ trail.

The purported hackers’ website claims facial and driver’s licenses images were stored, the former appearing not to have been converted into templates, and therefore not directly useful for biometric comparison.

Wired wrong: “hidden danger” vs “no real risk”

Wired’s coverage refers to the “hidden danger of biometrics,” but as terms like “template” and “encryption” do not appear either on the purported hackers’ website or the news article.

“The biometric line is a good headline, but it’s likely a little hyperbolic: data that a verifier captures in order to match biometrics is not necessarily usable in other contexts and possibly poses no real risk,” cybersecurity expert Troy Hunt, who created the website Have I Been Pwned, posted on X.

This is because facial images cannot be matched by facial recognition algorithms unless the biometric data is presented in the form of a template. Reverse engineering biometric templates is possible in theory, but has yet to be observed in the wild.

Wired quotes Hunt assessment of the veracity of the claims, and even links to his posts on X, but declines to note the contradiction to its headline.

Article Topics

Australia  |  biometric matching  |  biometric template  |  biometrics  |  data protection  |  face biometrics