Arts and Culture Trust

The Arts and Culture Trust, also known as ACT, is an organisation based in Australia that became publicly known in relation to a significant data security incident in July 2022. This event involved multiple prominent Western Australian arts organisations, specifically naming Perth Festival and the Black Swan State Theatre Company as affected entities. The breach stemmed from a compromise of third-party software utilised by these organisations, which resulted in unauthorised access to customers' personal information. Following the discovery of this security failure, the Arts and Culture Trust assumed the responsibility of notifying the individuals whose data had been compromised, communicating this breach directly via email. This action positions ACT as an entity with a role in the governance or administrative oversight of the implicated arts bodies, capable of initiating customer communications on their behalf regarding a major data incident. The nature of the compromised third-party software was not specified, but the incident underscores a vulnerability through supply chain or vendor relationships within the Western Australian arts sector. The personal information accessed was described generally, indicating a broad exposure of customer data rather than a limited set of details. This breach highlighted the operational risks faced by cultural organisations regarding data stewardship, even when direct IT systems may be managed by external providers. The Trust's involvement in the notification process suggests a centralised or coordinating function for these affiliated arts institutions, particularly in matters of legal or regulatory compliance following a data compromise.

The data breach incident provides the primary documented insight into the Arts and Culture Trust's operational context and its relationship with major Western Australian arts entities. The scale of the incident was characterised as "major," affecting multiple high-profile organisations simultaneously, which points to a shared technological dependency among them. The fact that ACT led the notification effort implies it holds a structural or fiduciary position that mandates or enables it to manage crisis communications for the group. No further details about the Trust's specific governance structure, ownership, or day-to-day operations are provided in the available information. The incident's root cause was external, tied to a third-party software provider, which shifts the focus from ACT's internal security to its vendor management and oversight protocols. The response, via direct email to affected customers, indicates an adherence to, or a practical application of, data breach notification obligations under Australian privacy law. This event serves as a key reference point for understanding ACT's role within the ecosystem of Western Australian arts administration, demonstrating its function in managing shared risks and communications for constituent organisations. The breach's impact was confined to customer personal information, with no mention of operational data or intellectual property loss from the arts organisations themselves. Consequently, the Trust's documented public activity is centred on damage control and regulatory compliance following a systemic technology failure affecting its partner institutions.