Cyber Incident Victim: Perth Mint

On September 5, 2018, the Perth Mint suffered a data breach involving customer information from an "old 2016 database" hosted by an unidentified third-party IT provider. Australian broadcaster ABC initially reported the incident on September 8, disclosing that 13 users of the mint's Depository Online platform had their personal data exposed. The compromised records included names, addresses, passport numbers, and bank account details. The mint subsequently revised the affected customer count to 3,200 individuals, representing approximately 3% of its 100,000 global client base. CEO Richard Hayes confirmed the organization's internal systems remained uncompromised. Perth Mint notified the Australian Federal Police and the Office of the Australian Information Commissioner (OAIC), Australia's data protection authority, while emphasizing that no customer investments in precious metals had been accessed or stolen.

The breach created potential physical security risks due to exposed residential addresses of precious metal purchasers, though the mint assured customers that AU$2.7 billion in government-guaranteed stored assets remained secure across its 21,000 storage service users. Forensic investigations confirmed the safety of on-site deposits. The incident occurred during Perth Mint's multi-year IT infrastructure transition from in-house support to managed services, though the breached third party was not Silverfern IT, the provider selected during their 2015-2017 revamp. Australia's mandatory data breach notification law, enacted in February 2018, likely applied to this incident as it involved sensitive identification documents and financial details meeting the threshold for "serious harm" risk, carrying potential penalties of AU$1.8 million for non-compliance. The mint did not disclose whether the 30-day regulatory reporting deadline was met or specify the exact method of unauthorized database access.