Perth Mint

Summary

The Perth Mint, a Western Australian government-owned precious metals refinery and dealer, disclosed a data breach in September 2018 that initially appeared to affect a small number of customers but was later revised to thousands of individuals. The breach exposed personal information of customers who had purchased gold, silver, and other precious metals through the Mint's online platform. The incident was notable both for affecting a government entity and for the significant revision in the number of affected individuals.

What Happened

Attackers gained unauthorised access to the Perth Mint's customer database, which contained personal information of individuals who had purchased precious metals or invested through the Mint's various programs. The compromised data included names, contact details, dates of birth, and account information.

The Perth Mint initially disclosed the breach in early September 2018, stating that a "small number" of customers were affected. However, following further investigation, the Mint revised its assessment significantly upward, revealing that thousands of customers had potentially had their information accessed. This substantial revision raised questions about the Mint's initial incident response and the accuracy of early breach assessments.

The breach occurred through the Mint's online systems, though specific technical details about the attack vector were not publicly disclosed. The incident affected customers across the Perth Mint's various business lines, including direct precious metals sales and investment products.

Impact on Individuals

Customers of the Perth Mint whose information was compromised included:

• Precious metals investors: Individuals with significant holdings in gold, silver, platinum
• Depository clients: Customers storing metals in Mint vaults
• Online purchasers: People who bought precious metals through the website
• Investment program participants: Those in structured investment products

Compromised information included:

• Personal details: Names, dates of birth, addresses
• Contact information: Email addresses and phone numbers
• Account data: Customer account numbers and transaction history
• Passwords: Hashed account passwords

Risks to affected individuals:

• Targeted fraud: Knowledge of precious metals investments could make customers targets for scams
• Identity theft: Combination of personal details could enable identity fraud
• Investment scams: Criminals could use knowledge of investment activity for convincing fraud attempts
• Account takeover: Password compromise could enable unauthorised account access
• Physical security: Information about valuable holdings could pose personal safety risks

The nature of the Perth Mint's business meant affected customers were often high-net-worth individuals or those with significant investments, potentially making them attractive targets for sophisticated fraud.

Organisational Response

The Perth Mint responded to the breach by:

• Conducting forensic investigation to determine the scope of compromise
• Revising initial estimates as more information became available
• Notifying affected customers via email and letter
• Recommending customers change their passwords
• Implementing enhanced security measures on online systems
• Engaging cybersecurity experts to strengthen defences
• Reporting the incident to relevant authorities

The Mint advised affected customers to:

• Change their Perth Mint account passwords immediately
• Be alert to suspicious communications about investments
• Monitor their accounts for unauthorised activity
• Be cautious of potential phishing attempts using their information

Disclosure and Communication Issues

The breach became notable for communication problems:

• Initial underestimation: Early disclosure of "small number" later revised to thousands
• Delayed accurate information: Significant time gap between initial and revised disclosures
• Customer confusion: Uncertainty about who was affected and extent of compromise
• Media scrutiny: Revision of affected numbers attracted negative media attention
• Trust impact: Credibility concerns about initial breach assessment

The incident highlighted challenges organisations face in accurately assessing breach scope quickly while meeting notification obligations. It also demonstrated the importance of thorough investigation before public disclosure of affected numbers.

Government Entity Implications

As a Western Australian government-owned entity, the breach raised particular concerns:

• Government data security: Vulnerabilities in government enterprise systems
• Public accountability: Higher expectations for government entities' cybersecurity
• Customer confidence: Impact on trust in government commercial operations
• Regulatory scrutiny: Enhanced oversight of government business enterprises' data practices

The Perth Mint operates commercially while being government-owned, creating unique accountability and security expectations.

Precious Metals Industry Context

The breach had implications for the broader precious metals industry:

• High-value targets: Precious metals dealers hold information about customers with significant assets
• Investment fraud: Information could be used for targeted investment scams
• Cybersecurity awareness: Highlighted need for strong security in precious metals sector
• Customer privacy: Sensitivity of information about investment holdings and wealth

The incident prompted other precious metals dealers and bullion sellers to review their own cybersecurity practices and customer data protection measures.

Long-term Impact

The Perth Mint breach resulted in:

• Enhanced cybersecurity measures at the Mint's online platforms
• Improved incident response and breach assessment procedures
• Greater scrutiny of government business enterprises' data security
• Industry awareness of cybersecurity risks in precious metals trading
• Customer expectations for stronger security at investment platforms

The incident remains a case study in the importance of accurate breach assessment and clear communication with affected individuals, particularly for government entities where public trust and accountability are paramount.