By Sophia McCaughan and Samantha Lock in Sydney

A man has been arrested after the personal details of visitors at more than a dozen licensed venues – including two Canberra clubs – were exposed.

NSW Police were alerted to a website which had published the details of patrons who used their drivers’ licences to sign in at 17 venues across the state and the ACT.

Officers raided a Fairfield West address in Sydney’s west on Thursday afternoon and arrested a 46-year-old man.

He is expected to be charged with blackmail, NSW Police said in a statement.

Detective Chief Superintendent Grant Taylor earlier on Thursday said the site was live “a number of days ago” but “only really became known to the public in the last 24 hours to 48 hours”.

“We believe it’s a breach of a third-party provider,” he told reporters.

Registered clubs are required by law to document and store the personal details of patrons entering their venues in NSW.

Police allege the third-party IT provider contracted to collect the data had sent it offshore to another contractor.

The records were published online, with allegations contracted software developers in the Philippines had not been paid.

Some affected clubs had already severed contracts with the third-party provider, including in one case because it was sending data offshore.

Police are urging patrons to wait until they are advised they have been affected by the breach before changing any details.

But privacy protection expert Philip Bos said the breach illustrates how Australians are often forced to hand over information to organisations which don’t know how to handle confidential data correctly or safely.

NSW Gaming Minister David Harris said the breach was worrying.

“We’re really concerned about the potential impact on individuals and we will encourage clubs and hospitality venues to notify patrons whose information might be affected,” Mr Harris said.

The exposed records include visitation data, meaning some of the one million records will be near-duplicates.

Alliance for Gambling Reform said the breach could have been avoided by a centralised, secure universal cashless gambling card system.

“This breach highlights just how unaccountable clubs are and how haphazard they are with the mountain of private information they routinely collect from the public, without direct consent,” chief executive Carol Bennett said in a statement.

One club affected by the data breach posted to Facebook that it used the provider from January 2021 to October 2022, but no longer used their services.

Club Old Bar said it had started an investigation and was working with the provider to identify the extent to which any data relating to the club may be involved.

The third party IT company, Outabox, said it was investigating the potential breach by an “unauthorised third party from a sign-in system” and had alerted authorities.

“We are restricted by how much information we are able to provide at this stage given it is currently under active police investigation,” it said.

Investigators overloaded the site on Thursday to disable further searching of records.

CLUBS AFFECTED BY DATA BREACH:

* The Tradies Dickson 

* Erindale Vikings

* Breakers Country Club 

* Bulahdelah Bowling Club 

* Central Coast Leagues Club 

* Mex Club Mayfield 

* City of Sydney RSL 

* East Maitland Bowling Club 

* East Cessnock Bowling Club 

* Fairfield RSL Club 

* Gwandalan Bowling Club 

* Halekulani Bowling Club 

* Hornsby RSL Club 

* Ingleburn RSL Club 

* Club Old Bar 

* Club Terrigal 

PUBS AFFECTED

* Merivale