In September 2018, The Perth Mint — the government-owned precious metals enterprise operated by the Government of Western Australia — disclosed a data breach affecting customers of its Depository Online service, a web-based platform allowing customers to purchase and store allocated and unallocated precious metals.

The Perth Mint initially reported on September 8, 2018 that only 13 customers had been affected. However, the organisation subsequently revised that figure substantially upward, confirming on September 18 that approximately 3,200 Depository Online customers were affected — representing slightly over 3 percent of the Mint’s approximately 100,000 global customers.

The breach originated not within the Perth Mint’s own infrastructure but within the systems of an unnamed third-party IT provider that had been hosting an older 2016 database of Depository Online customer records. The Perth Mint confirmed that its own internal systems had not been compromised. The third-party provider’s identity was never publicly disclosed; the Mint’s spokesperson specifically noted that a named managed service provider (Silverfern IT, which had been speculated in media reporting) was not the entity involved.

Data exposed in the breach included customer names, home addresses, passport numbers, and bank account details — a high-value combination for identity fraud and financial crime. The Mint confirmed that customers’ precious metal holdings and investment balances were unaffected and remained secure.

Following discovery, the Perth Mint notified the Australian Federal Police and the Office of the Australian Information Commissioner (OAIC), Australia’s data protection regulator. The significant discrepancy between the initial disclosure (13 affected customers) and the revised figure (3,200) drew criticism and illustrated the difficulty of rapidly scoping breach impact when the compromised records are held by a third party rather than the disclosing organisation directly.

The incident reinforced the risk that older datasets retained by third-party service providers — data no longer actively used by the primary organisation — can remain attractive targets long after the primary business relationship has evolved, particularly when those datasets contain high-value identity and financial credentials.