Data Loss Prevention (DLP) , Incident & Breach Response , Managed Detection & Response (MDR)

Perth Mint Says 3,200 Customers Affected By Data Breach

Leaked Data Includes Passport Numbers, Addresses, Bank Account Details
Perth Mint Says 3,200 Customers Affected By Data Breach
Gold and silver bars produced by The Perth Mint, which sold more than AU$1 billion of precious metals last year (Source: Perth Mint)

If you're going to hack, why not go for the gold?

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

That appears to have been the idea behind a curious data breach at the Perth Mint in Western Australia, which last year sold AU$1.1 billion (US$790 million) worth of precious metal coins, medallions and minted gold bars. Australia is the second-largest gold producer behind China.

On Sept. 8, Australian broadcaster ABC reported a data breach affecting 13 people who used Perth Mint's Depository Online, a web-based platform for purchasing precious metals. The leaked data included names, addresses, passport numbers and bank account details.

Perth Mint's Depository Online, which allows customers to buy precious metals (Source: Perth Mint)

The breach, which occurred on Sept. 5, affected what Perth Mint refers to as an "old 2016 database," which was hosted by a third-party IT provider, according to a question-and-answer statement published online.

Perth Mint, however, has upped the number of customers affected to 3,200, saying that the data exposed includes "customers' address, bank details or identification details." The revised figure represents slightly over 3 percent of Perth Mint's 100,000 global customers.

Perth Mint CEO Richard Hayes says in a statement that "there is no evidence to suggest the Perth Mint's own internal systems have been compromised in any way."

On-Site Deposits Secure

The Perth Mint in Western Australia

The mint says it has contacted Australia Federal Police as well as the Office of the Australian Information Commissioner, the country's data protection regulator.

No investments have been compromised, according to the mint. But the breach does have a curious physical aspect to it. Whomever stole the data will know the addresses of those who have bought precious metals, perhaps putting them at a greater risk of a follow-up physical intrusion.

The mint offers its own storage service, backed by the Australian government, which it says is the only government-guaranteed metal storage service worldwide. According to the mint, some 21,000 people use the storage service to hold AU$2.7 billion ($2 billion) in precious metals.

"The forensic investigation has confirmed that those customers' gold investments held at The Perth Mint on their behalf are safe and secure," the mint says.

IT Revamp Difficulties?

Perth Mint did not identity the third-party IT provider that hosted the breached database. But over the past couple of years, the mint has sought to revamp its IT infrastructure, which involved moving from in-house ICT support to a managed service, CRN reported in March 2017.

After a tendering process, the mint selected Silverfern IT of Perth. The move was made in mid-2015 "following the acknowledged failure of a number of key IT functions, including service desk and infrastructure services," Perth Mint's Marc Mason, general manager for information technology, told CRN.

Silverfern IT officials could not be immediately reached for comment, but a spokesman for the mint says the third-party breached was not that company.

The breach would appear to qualify as a reportable event under new legislation that came into effect in February. A revision to Australia's Privacy Act 1988 requires some types of organizations to report certain types of data breaches to regulators as well as breach victims (see Australia Enacts Mandatory Breach Notification Law).

The law applies to companies and governmental organizations that are covered by the Privacy Act 1988, but excludes from the reporting requirement businesses that have less than AU$3 million (US$2.2 million) in annual revenue.

The mandatory breach notification requirement is less demanding than Europe's General Data Protection Regulation, which requires organizations to report a breach within 72 hours. Instead, Australian organizations have 30 days to determine whether a breach meets the reporting threshold, which can sometimes be a tricky judgment call (see Europe Catches GDPR Breach Notification Fever).

Australia's law requires that breaches that pose a risk of "serious" harm to consumers should be reported. The penalties for not reporting a breach are fines of up to AU$360,000 (US$260,000) for individuals and AU$1.8 million (US$1.3 million) for organizations.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.