Facial recognition company suffers major breach sparking privacy concerns

A massive breach of personal data linked to a facial recognition scheme in bars and clubs across Australia has come to light, raising concerns over the growing intrusion of AI-powered facial recognition systems into public spaces.

The breach, affecting a significant number of individuals, has put privacy advocates on high alert and raised questions about the security of such systems. The incident involves Outabox, an Australia-based company with offices in the United States and the Philippines.

The company introduced facial recognition kiosks that also doubled as temperature checkers in 2020 as part of its efforts to manage the COVID-19 pandemic's challenges. The kiosks can also be used to identify problem gamblers who enrolled in a self-exclusion initiative.

The breach was first brought to light by a website called “Have I Been Outaboxed,” allegedly set up by former Outabox developers in the Philippines. The website claims to have over 1 million records, including facial recognition biometric data, driver's license scans, signatures, club membership data, addresses, birthdays, phone numbers, club visit timestamps, and slot machine usage.

Samantha Floreani, head of policy for the Australia-based privacy and security nonprofit Digital Rights Watch, expressed her concerns, saying, “When privacy advocates warn of the risks associated with surveillance-based systems like this, data breaches are one of them.”

The data breach reportedly includes information from IGT, a supplier of gambling machines. However, IGT vice president of global communications, Phil O’Shaughnessy, stated that the data affected by the breach was not obtained from IGT and assured that the company would collaborate with Outabox and law enforcement in the investigation.

As proof, the “Have I Been Outaboxed” website posted photos, signatures, and redacted driver's licenses belonging to one of Outabox’s founders, along with a redacted screenshot of the alleged internal spreadsheet. However, the authenticity of the data has not been independently verified nor has the identity of the website’s owners been confirmed.

However, Outabox has confirmed the incident, stating, “We have been in communication with a group of our clients to inform them and outline our strategy to respond. Due to the ongoing Australian police investigation, we are not able to provide further information at this time.”

The New South Wales police force also confirmed they were investigating a data breach, but did not specifically mention Outabox. A 46-year-old man has been arrested in connection to the breach and is expected to be charged with blackmail.

This incident is a testament to the urgent need for better data security measures, especially as AI-powered facial recognition technology becomes more prevalent in various public spaces. It also raises questions not only about the security of personal data but also about the potential misuse and exploitation of such data by malicious actors.