back to article A million Australian pubgoers wake up to find personal info listed on leak site

Over a million records describing Australians who visited local pubs and clubs have apparently been posted online. An anonymously published leak site claims the records came from a tech services company called Outabox. The leak site, which The Register has visited but will not name or link to for legal reasons, offers a …

  1. Pascal Monett Silver badge

    "The kiosk can capture facial biometrics and match it to a database"

    So, one step further down the road to biometrics being used for the most mundane things.

    Why does a club require you to give up your face to some datacenter that gives no guarantee that it knows how to manage that data securely and is not under legal obligation to do so ?

    The sooner we treat biometrics with the same level of care and security that we treat financial data, the better.

    Banks are under serious obligations to have the right to handle our money. Firms using biometrics should be as well, because I can't change my face if you foul up.

    1. elsergiovolador Silver badge

      Re: "The kiosk can capture facial biometrics and match it to a database"

      Can't wait for rear hole biometrics to be collected for workplace toilets to account for number two time or public loo to distinguish locals from tourists.

      1. Plest Silver badge
        Thumb Up

        Re: "The kiosk can capture facial biometrics and match it to a database"

        Ah the old mistaken "rectal scan" of many a TV and movie nerd comedy skit!

  2. Sora2566 Silver badge

    Why keep so much info?

    Why did this service even keep driver's licence details, let alone biometrics? After confirming they're legit with whatever gov body handles that, isn't all you need to record just the fact that you verified it, not what you verified?

    1. DS999 Silver badge

      Re: Why keep so much info?

      Because that information is valuable. It isn't as though a system that NFC built into all smartphones would be expensive to implement. Just pull up the wallet app on your and hold it to a scanner when you walk in and it could identify you as a member, without having to provide any personal information other than what they might collect at signup like your name and age (to prove you're old enough to drink) and maybe a credit card number if there is billing involved for membership.

      The reason they implement it with facial recognition that is undoubtedly much more expensive is because then it can gather a lot more information. Not just when you enter, but when you leave, how much you spend etc. That's really valuable if either the place you frequent wants to send you offers or other places want to advertise your way. Ideally from the pub owner's perspective the service would be "free" to them, with the profit made by the sale of all the personal info on your customers you allow them to collect!

      1. Sora2566 Silver badge

        Re: Why keep so much info?

        If you read the article, you might also have spotted the point that some of these clubs are set up to cater to military vets, and offer discounts to the same. So before offering you half off on your drinks, the business should verify that you actually served.

        Still doesn't explain why they would keep the license or such on hand afterwards, but I do understand why they would need this information (providing it should be voluntary, obviously - you might well think that your privacy isn't worth the discount even if you *are* a vet).

      2. Doctor Syntax Silver badge

        Re: Why keep so much info?

        "Because that information is valuable."

        Those who thought it was are now discovering that the correct word is "toxic".

        This is why Europe has customer protection protection regulations some commentard recently described as "Stalinist". This is what happens when you don't have them or don't follow them.

      3. CowHorseFrog Silver badge

        Re: Why keep so much info?

        Ive asked before and will ask again.

        WHy cant people sue companies for collecting and selling their data... isnt that some sort of copyright violation ? Sue them to hell for copyright violation asking for tens of millions for each count.

        1. DS999 Silver badge

          Re: Why keep so much info?

          Because one can't claim copyright on facts, like that they have two kids, own their own home, have a below average credit rating, set chocolate chip cookies and four two liter bottles of Pepsi as a weekly subscription on Amazon, and went on a Disney cruise in January.

          Copyright requires creation of an original work, and that original work be fixed in a particular medium. You'd have better luck copyrighting some weird name you give your kid so you can make him the only one who has it than you would copyrighting the type of information that companies collect and sell about you.

          1. CowHorseFrog Silver badge

            Re: Why keep so much info?

            Hang on, let me try again on this angle.

            What about selling the "data" without a license ?

            Surely selling personal data without asking, is selling data without a license.?

            The binary for MS SQL server is a fact, its just numbers, just like personal data like a birthday...

            1. DS999 Silver badge

              Re: Why keep so much info?

              Where's the law that says you need a "license" to sell my birthday or yearly income to another company? Who issues that license, and how do you apply?

              You're just making stuff up now.

              I'm not defending sale of personal data, I wish there was a law against it. But in the US at least, there is not.

              1. CowHorseFrog Silver badge

                Re: Why keep so much info?

                The private information belongs to the person. Its no different from a person selling a photograph.

                1. DS999 Silver badge

                  Re: Why keep so much info?

                  What private information "belongs" to a person? Do I own the number that represents my taxable income for 2023? Do I own the number of children I have, or my birthdate?

                  You can't own facts. That's why laws are needed if you want to control what facts that a company has learned about you (or you have provided to them, willingly or not) is allowed to sell or give to others.

                  1. CowHorseFrog Silver badge

                    Re: Why keep so much info?

                    Your birthday is your personal information. Its your secret to sell or not sell, just like its Microsoft's right to sell or not sell their private keys.

                  2. CowHorseFrog Silver badge

                    Re: Why keep so much info?

                    Yes you do own that number, and there are privacy laws about who can and cant share that (well they are in my country ).

  3. Winkypop Silver badge
    Stop

    Last visited an Oz club a few years ago

    They wanted me to scan my drivers licence.

    Ahhh, no.

    I completed a paper form instead, sans genuine data.

  4. Great Southern Land

    They were warned....

    As shown by this Australian Information Commissioner Privacy Case in 2011....

    https://www.austlii.edu.au/cgi-bin/viewdoc/au/cases/cth/AICmrCN/2011/2.html?context=1;query=registered%20club;mask_path=au/cases/cth/AICmrCN

    The complainant alleged that a registered club interfered with their privacy by scanning their driver licence and, in doing so, recording unnecessary information. The complainant conceded that the club was required to collect their name, address and signature. However, the complainant considered the collection of the other information on the licence, including their date of birth, driver’s licence number, driver’s licence type and photograph to be unnecessary.

    The complainant also raised concerns that the registered club ’s notice and security procedures were insufficient.

    1. veti Silver badge

      Re: They were warned....

      Yeah, but what was the resolution of that complaint?

      TL;DR: the club pointed to its own privacy statement and undertook to delete the data of anyone who asked for it to be deleted. Beyond that, it didn't have to change its ways.

      1. Great Southern Land

        Re: They were warned....

        .... And thus they've had 13 years to do something about it, and haven't.

  5. Khaptain Silver badge

    Out of the box cowboys

    "The leak site further alleges that Outabox didn't pay its outsourced contractors.

    1 : Is there any evidence to suggest that Outabox were ever anything but a bunch of cowboys.

    2 : What advantage does facial recognition actually offer, other than being more expensive and far more intrusive.

    3 : That sounds like an awful lot of data required just to enter a club.

  6. TReko Silver badge

    Leak site?

    The "leak site" appears to be similar to haveibeenpwned, it just lets you check if your details have been leaked.

  7. Anonymous Coward
    Pint

    Why store this much data?

    About 30 years ago I used to go out underage drinking with friends (in the UK, not Australia). There was a club where they had an unwritten rule that they'd allow slightly underage people in, on the proviso that they signed up for "membership". Membership in this case was free, and they *posted* you physical vouchers every few months with drinks offers. These were valuable because as a teenager you didn't typically earn much money - if any at all.

    Of course the reason they did that was because that way they had your address. Where you lived with your parents. So the chances of people causing fights or doing anything too stupid was reduced. It did actually work.

    At the time some people questioned how legit this was and even whether it was legal. Well of course it wasn't because they were serving underage drinkers but nobody back then really cared. The greater good was that it reduced problems in the town.

    I think this is more sinister though. It's blatantly holding way more data than is really necessary for any reasonable purpose. The question shouldn't just be about how or why the data was leaked, but WTF it was really being stored and used for in the first place.

    Pint icon, for obvious reasons.

    1. tiggity Silver badge

      Re: Why store this much data?

      In UK, decades ago, when I was underage drinking, and no ID needed, seemed to be a pub per town where "blind eye" was turned (so long as you were not obviously taking the mickey age wise with your appearance ).

      So long as there was no trouble, everyone was happy, local police were aware (back in the days when local police stations still existed in many places, in this case was about 200 m away from the "underage pub")

      Sensible behaviour was essentially self policed, underage drinkers knew to behave to keep the privilege going & other pubs did not have to worry about age of punters.

      .. Nowadays, it is fake IDs instead - benefits the pubs / clubs as so long as they ID check (seemingly no matter how poor the fake ID!) they can tick their no U18s box, but means "underage" drinkers spread around more venues & that "self policing" ethos is gone..

  8. Tron Silver badge

    The stasi mentality of our glorious leaders is a vuln.

    Demanding that everyone collect data on everyone, all the time, everywhere so glorious leaders can monitor them at the click of a mouse is just a trainwreck in practice.

    All you should need to enter these places is a membership card, shown to someone on the door. No need to record it. Strewth, lose the fascist overreach, mate.

    As to what Australians do in drinking establishments, I think we can all hazard a guess without visiting sites that we cannot be told about, being mere children, protected by our political elite from knowledge harms.

    1. ecofeco Silver badge
      Terminator

      Re: The stasi mentality of our glorious leaders is a vuln.

      The Stasi would die from wet dream pleasure overload at the amount of people who willingly sign up to be tracked.

      Every government in the world that has not put strict consumer data protection in place is laughing their ass off all the way to the bank.

  9. Fred Daggy Silver badge

    Not surprised.

    Over New Year, 2024, was in Canberra visiting family. The hotel breakfast room was hosted in the restaurant of the attached club. Did not need to register for that brekky, but walked past where one does register for public entrance.

    Registration program had crashed on registration terminal. Showing Windows 7 desktop. Was able to use touchscreen to bring up Command prompt and verified that I was indeed local Administrator and there were networked drives. Could even start PINGging to my hearts content. Also, the desktop was like that for the better part of two hours.

    I declined to go there at the end of the day for a cleansing or two, because I saw that security of my PII was going to be lax to non existent. No photocopy of my passport was going to them.

    Also, security codes, phone numbers, security safe words and delivery times were clearly pinned up on reception desk of the club. (Patron reception desk, where one enters the club, not even administrative reception).

  10. Marcelo Rodrigues
    Joke

    Sooo... they took a leak after the pub?

    Shocking, I say. Shocking.

    1. ecofeco Silver badge
      Coat

      Re: Sooo... they took a leak after the pub?

      Pissed right off, didn't they?

  11. ecofeco Silver badge
    Facepalm

    I never, ever get tired of saying it

    So how's that cloud thing working for ya?

    1. veti Silver badge

      Re: I never, ever get tired of saying it

      Yes, because there were no leaks in the old days, were there? When every business ran its own servers with perfect security and 100% availability and real-time backups...

  12. CowHorseFrog Silver badge

    One million sstupid australians, shouldnt have shared their name in the first place.

    1. Wexford

      You don't get the choice, if you want to enter the venue. Either you let them scan your driver's license or they don't let you in.

      1. CowHorseFrog Silver badge

        So dont go in...its not the end of the world.

        THere coul dbe a lot of trouble from your stolen details....for a lousy beer you could have at home or at a friends.

  13. Michael Strorm Silver badge
    Trollface

    Does it count as personally identifiable information if...

    ...every single person in it is called "Bruce"?

  14. Anonymous Coward
    Anonymous Coward

    UK venues have this too

    Quite a few UK venues have similar technology on the doors, and I always do wonder how strict their data protection is like. The ones I have seen capture your photograph and show your age on the visible screen, as well as whether you are banned with a tick/cross.

  15. Ribfeast

    Always disliked the whole sign in process for clubs in Australia, typically I'd just give them rubbish info if it was a written entry form, don't like them scanning my drivers license. Had no idea it was to do with some sort of legislation and discounts. Surely the requirement needs to be re-investigated to see if it is adding any value.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like