Cybercrime detectives have charged a Sydney man with blackmail after online threats were made to expose one million identity records of Australian club and pub patrons.
The website, uncovered this week, had published the details of people who used their drivers' licences and other personal details to sign in at 17 venues across the NSW and the ACT.
It has prompted calls for better data handling and changes to mandates requiring all 1200 registered clubs in NSW to capture identity data of patrons.
Data about NSW Premier Chris Minns and Deputy Premier Prue Car was reportedly among the information exposed before police flooded the site with requests to prevent further leaks.
Police said the breach was believed to be of a third-party provider.
The website contained allegations of a corporate dispute with software developers and poor data handling practices, including sending data offshore.
But the leak had an integral player on Australian shores in a suburban home in southwestern Sydney, police allege.
Heavily armed police arrived at a Fairfield home on Thursday afternoon before detectives arrested a 46-year-old, dressed in jeans and thongs.
After a night in custody, he was charged with a blackmail offence and released on conditional bail.
If convicted, he faces a maximum of 10 years in prison.
The man is due to face Fairfield Local Court on June 12.
Police are urging patrons to wait until they are advised they have been affected by the breach before changing any details.
But privacy protection expert Philip Bos said the breach illustrates how Australians are often forced to hand over information to organisations that don't know how to handle confidential data correctly or safely.
Some affected clubs had already severed contracts with the third-party provider, including in one case because it was sending data offshore.
Registered clubs are required by law to document and store the personal details of patrons entering their venues in NSW.
Alliance for Gambling Reform said the breach could have been avoided by a centralised, secure universal cashless gambling card system.
"This breach highlights just how unaccountable clubs are and how haphazard they are with the mountain of private information they routinely collect from the public, without direct consent," chief executive Carol Bennett said in a statement.
The exposed records include patrons' individual entries, meaning some of the 1.05 million records will be near-duplicates.