Police and federal authorities are currently dealing with a major personal data breach related to a facial recognition system in bars and clubs throughout Australia. This incident sheds light on the growing privacy concerns surrounding the use of AI-powered facial recognition in various settings, including shopping centers and sports venues.
The company at the center of the controversy is Outabox, an Australia-based company with offices in the United States and the Philippines. In response to the Covid-19 pandemic, Outabox introduced a facial recognition kiosk that not only scans visitors and checks their temperature but also helps identify problem gamblers who have opted for self-exclusion. Recently, a website called “Have I Been Outaboxed” was created by former Outabox developers in the Philippines, claiming that Outabox’s data, which was allegedly shared in an unsecured spreadsheet with lax internal controls, was compromised. The site claims to have over 1 million records.
Privacy experts have expressed outrage over the incident, with concerns over the increasing use of facial recognition technology in public places like clubs and casinos. Samantha Floreani, head of policy at Digital Rights Watch, emphasized the risks associated with surveillance-based systems like this and how data breaches are a potential consequence.
According to the “Have I Been Outaboxed” website, the leaked data includes facial recognition biometric information, driver’s license scans, signatures, club membership details, addresses, birthdays, phone numbers, club visit timestamps, and slot machine usage records. Although the site claimed that Outabox had exported membership data from gambling machine supplier IGT, IGT stated that the data affected by the breach did not come from them.
The website’s owners posted images of a founder’s driver’s license and a redacted internal spreadsheet, but the authenticity of the data could not be independently verified by WIRED. Outabox confirmed that they are aware of the cyber incident and are cooperating with law enforcement and clients. The New South Wales police force is currently investigating the breach, and an arrest was made in connection with the case.
Overall, this breach serves as a stark reminder of the potential privacy risks associated with the widespread use of facial recognition technology in various sectors.
