Outabox, an Australian hospitality IT provider offering facial recognition sign-in services for clubs, suffered a data breach exposing biometric and personal data of approximately 1 million Australians. The data came from 19 venues operated by ClubsNSW in New South Wales and the ACT. Individuals claiming to be former Outabox developers in the Philippines created a website exposing the data, alleging non-payment of 18 months’ wages. Exposed data included facial recognition biometrics, driver’s licence scans, signatures, club membership data, addresses, birth dates, phone numbers, club visit timestamps, and slot machine usage records. A 46-year-old man was arrested in Sydney and charged with blackmail. OAIC notified. Significant because it exposed biometric data of casino/club patrons — highlighting risks of biometric data aggregation in entertainment venues.