Police arrest Sydney man for blackmail over major data breach affecting up to 1 million NSW and ACT residents

Police have arrested a Sydney man they expect to charge with blackmail as they investigate a major data breach that saw personal details for up to 1 million New South Wales and ACT residents shared online.

NSW police officers have been working with state, federal and international agencies as they investigate the major breach that is believed to be either blackmail or corporate sabotage after data was published this week.

Personal data including names and addresses were accessed as part of the incident involving Outabox, an IT provider used by dozens of hospitality venues including hospitality giant Merivale.

Related: Second accidental data leak in four months ‘regrettable’, finance department says

Police are investigating whether a website may have been set up by the alleged perpetrator. It purported to allow people to search names in the leaked database, and returned redacted information about its contents. It claimed that it contained 1,050,169 records.

Officers from the NSW police state crime command’s cybercrime squad were investigating under Strike Force Division.

On Thursday evening, police announced they had arrested a man after executing a search warrant in Fairfield West at about 4.20pm.

“At the address, police arrested a 46-year-old man. He will be taken to Fairfield police station where he is expected to be charged with blackmail.”

The commander of the cybercrime squad, Det Acting Supt Gillian Lister, said “now is the optimal time to make sure your cyber hygiene is good; you have strong passwords and are using two-factor authentication where possible”.

“If you think your details may have been compromised, use extra caution when reviewing emails or texts and never click on a suspicious or unfamiliar link,” Lister said, urging residents to report incidents of cybercrime through the Australian Cyber Security Centre or Scamwatch.

• Sign up for Guardian Australia’s free morning and afternoon email newsletters for your daily news roundup

Earlier on Thursday, Det Ch Supt Grant Taylor said the initial focus was on limiting access to the data, understanding the extent of the leak and understanding the motive.

“We’re following up both lines of inquiry with respect to whether it’s a blackmail of a particular company or whether, in fact, it’s sabotage to ruin the company’s name,” he said.

Taylor said initial investigations indicated there had been a breach of a third-party provider who had been working with Outabox.

“We have persons of interest,” he said.

“We are following up with those persons of interest and we hope to think that those persons of interest will help us identify who the perpetrators are that have committed this act.”

Taylor advised against getting new identification documents until people were certain their details had been shared.

ClubsNSW said the “cybersecurity incident” had impacted more than a dozen clubs and several pubs.

“The clubs concerned are working towards notifying all impacted patrons,” a spokesperson said.

A spokesperson for Outabox said it was “aware of a potential breach of data by an unauthorised third party from a sign-in system used by our clients”.

“We are working as a priority to determine the facts around this incident, have notified the relevant authorities and are investigating in cooperation with law enforcement,” the spokesperson said.

The gaming minister, David Harris, has urged venues to notify patrons whose information may have been affected.

On Thursday morning, entertainment and hospitality giant Merivale said it did not believe its customers had been impacted.

The Australian cybersecurity expert Troy Hunt said it was not clear if photos and signatures captured by the system upon sign-in were exposed in every case.

“Drivers licenses, however, is Optus redux: they all need replacing now,” he posted on X, formerly known as Twitter.

“Signatures and photos are obviously immutable (by any practical measure) and combined with the other personal identities (name, phone, address), are *very* useful for criminals.”

The NSW government is also investigating.

“The NSW government is aware of an incident involving unauthorised access to customer information held by an IT provider which is used by hospitality venues across both NSW and the ACT,” an ID Support NSW spokesperson said.

“We are concerned about the potential impact on individuals and urge clubs and hospitality venues to notify patrons whose information is affected.”

AAP contributed to this report.