All my personal data was STOLEN from the Western Australian Government's Perth Mint thanks to a third party data breach.
Obvious serious identity theft implications for customers as a result.
UPDATE: They have disabled comments and ratings, LOL! https://www.youtube.com/watch?v=mAERAUbCb8c
Perth Mint CEO: https://www.youtube.com/watch?v=UsjHlgTchnE
Forum: http://www.eevblog.com/forum/blog/eevblab-52-my-personal-data-stolen-from-the-government!/'>http://www.eevblog.com/forum/blog/eevblab-52-my-personal-data-stolen-from-the-government!/
EEVblog Main Web Site: http://www.eevblog.com
The 2nd EEVblog Channel: http://www.youtube.com/EEVblog2
Support the EEVblog through Patreon!
http://www.patreon.com/eevblog
Stuff I recommend:
https://kit.com/EEVblog/
Donate With Bitcoin & Other Crypto Currencies!
https://www.eevblog.com/crypto-currency/
T-Shirts: http://teespring.com/stores/eevblog
Likecoin – Coins for Likes: https://likecoin.pro/ @eevblog/dil9/hcq3
💗 Likecoin – Coins for Likes: https://likecoin.pro/ @eevblog/dil9/hcq3

Hi I'm having a great day. All my personal information was just stolen from the Western Australian Government. Whoa! Thank you very much to the Perth men who are a Western Australian government owned a company that meant Australian legal tender coins. They also sell gold and silver bullion and do bullion trading and stuff like that.

And I have an account with them. And I was one of the 32 hundred people who were caught up in a privacy personal information data breach from the Perth Mint Oh, not specifically from them, but from a third-party company that they used to hold the data. Well done. Now they actually alerted customers as they're required to under law about any data breaches like this back on the 8th of September.

It actually happened a couple of days before that, but they're investigating and at the time they only thought that 13 customers were affected. But they will keep us updated And as it turns out, the latest release today, once again, they emailed a customer's effectively of the 3200 online customers. As previously advised, ongoing forensic investigations continue. As we were made aware of this development over the weekend, we have moved quickly to contact the affected depository online customers in order to protect their interests.

Well, they did contact me quickly. While we were extremely disappointed, we have again assured our customers that their investments are unaffected and remain safe and secure. Yeah, no worries about my our stuff at the Perth Mint But what about my personal identity? Ever heard of identity theft? One thing you won't find in here. Other words, Identity Theft? No, all they care about is I Know they didn't breach our system so your money with us is safe.

No worries. Our dedicated customer support team has been working extended hours to provide our customers with advice and to answer any inquiries they may have. I can vouch for that and I was actually um, emailing talking to last night and they responded and answered my questions as best they could. but we'll get into that in a minute.

Mr.. Hayes who's the CEO confirmed the data breach occurred on the systems of a third party technology provider. However, he again assured customers that there is no evidence to suggest the % Perth Mints own internal systems have been compromised in any way. Well, if you got such good systems, why didn't you keep all your data there? We launched a forensic investigation when the data breach was identified.

Now, we have worked closely with our third-party provider and a range of cybercrime experts. During the ongoing inquiry, he said we are continuing to work with the third party provider to understand how this breach has occurred and will continue to work with the authorities, including the Australian Federal Police I Can assure our customers there is no threat to any account holdings at the Perth Mint and none of our data systems have been breached. Well, you would have been confident last week, wouldn't you or a couple of weeks back before this happened. That odd.
No. nobody can touch your information here and got it through a third party good. Anya So let's hear from the CEO Dick Hayes He looks like a deer in headlights. Take it away Dick, This meant just over a week ago I Alerted you to a data breach which impacted 13 depository on only 13.

We immediately commenced a forensic investigation to determine how this breach occurred and committed to you to provide any further information should it arise. As a result of our investigation, we now know that the personal data of 3200 deposit 3200 now Ares has been taken from information held by a third party provider. I Want to reassure all of you that despite this breach, all of your investments remain safe and secure and there is no threat to your account holdings. As you can imagine, enquiries of this sort are complex and very time-consuming We have committed substantial resources to the forensic investigation and continue to work with the authorities, including the Australian Federal Police and cybercrime experts.

Experian Edition I Sincerely regret any concern caused by this incident and can assure you we are doing everything we can to determine how this occurred and to support our customers. Thank you Thanks Dick! I Also did a video back when they thought they only had 13 customers affected here and look what they did. Comments are disabled for this video. Don't want people talking about this do you know? But they have actually enabled comments on the new one.

So go ahead and comment. I'll provide a link down below. I'll be there Now here's the email that they actually sent to customers and this is important because this is their disclosure and their advice to customers. Our forensic investigations now confirm that your personal information was also compromised by the breach that occurred in systems belonging to a third party technology provider.

As a result, the personal information that was stored in relation to your account has been accessed by an unauthorized person. They don't say that you know that they don't say external hack or anything like that. There's no details provided at all, so it may have been somebody who worked at this third-party provider or something like that. We just don't know.

This information includes the numbers of your bank account, your passport and/or driver's license. However, no scanned copies of any documents you have provided have been accessed illegally. Oh, just the people who can legally access at which customers never gave them permission to do because you think that no, you know it's a government organization they would like secure the data properly themselves. Noop.

As a precaution, we recommend that you contact your bank and advise them of this data breach so they can advise you of any steps that should be taken. If you have any concerns over the use of your driver's license and/or passport numbers, we recommend that you contact the relevant authorities and also seek their advice. The information illegally access was taken from an old 2016 database. so if you have updated your personal information out for this date, your updated information remains secure.
So it was stolen from an old database. So who is this third party provider? Is it some cloud storage or backup company or something like that that had access to an old database? Was that database encrypted or did they break the encryption? or was it just a plain text SQL thing or something? I was just all higgledy-piggledy with the backups and well, somebody found an old database lying around somewhere. We sincerely regret any concerns caused by this incident. We're gonna reassure you that investments are unaffected, blah blah and a safe and guaranteed by the Western Australian government.

Your money might be guaranteed by the government, but your privacy and your information security. And sure they don't seem to give it to us, long as your money's safe, she'll be right. No, I cares about identity theft and that's the thing You'll never find them out of the word identity theft. And the interesting thing is they only mentioned bank account, passport, and/or driver's license numbers.

They don't tell you that everything was stolen, absolutely everything. and this is probably illegal because they're not fully disclosing if you actually go in here. Notifiable data breaches scheme under privacy under Australian Privacy law How to notify people? It specifically says the kinds of information concern they didn't tell you everything. How do I know this? Because I Emailed them last night and they replied and said yep, they stole everything.

Every bit of personal information you entered into that website Hi Mr. Jones Yes, Unfortunately, all data fields on your account with the exception of your login password were included in the breach. This includes your address, phone number, email address, a reference number, and expiry data. You're supplied identity documents and banking details and they don't and there's actually more stuff in there which they don't tell you about as well.

So even though I asked, they still didn't disclose every bit of information that was stolen. We appreciate your concerns, but liked again Once again, reassure you that the Performance Systems and your online depository account remain secure and unaffected. We remain confident in the existing processes we have in place within the Perth Mint provide a high level of security without applying excessive burden of processes on our customers. Given the ever-changing nature of cyberattacks, we are constantly looking for ways to improve security for our counts and clients.

You have bet you are now that you got hacked decades. We do also use a third-party facility to store client personal data. Why? third-party data storage providers are often used throughout the financial services industry as well as other industries as their expertise and methods of protecting data are recognized to be the most stringent and up to date if the third party in question was selected after comprehensive risk assessment was undertaken and found to have world's best practice of cyber security protocols. Unfortunately, as evidenced by a number of data breaches occurring globally, such systems from time to time can be breached.
just an old database lying around somewhere probably what I'm 5 and a quarter inch floppy. For security and legal reasons, we do not publish the identity of the third-party data storage facility that we utilize, but we can assure you that they are one of the leaders in this field. Yeah, I Think we are very disappointed that this particular cyber attack occurred and we are very sorry for the concern that this may cause you. Unlike any other depository facilities, the middle and funds held in your account remain guaranteed by the government.

But once again, no mention of identity theft and there was not a full and complete disclosure here of what actually what data fields were actually stolen. And that's important when it comes to identity theft and the customers ability to be able to deal with that. They don't give you everything. so how is the customer supposed to know what steps they're going to take? So when I question them again on why they didn't disclose all of the data fields that were actually stolen, this is their response.

Due to the ongoing criminal investigation, we have been provided with responses that have been currently deemed as acceptable for the time being. like as in yeah, you don't need to know the exact fields that was stolen I Sincerely do understand your concerns about identity theft because I mentioned that I hold I myself hold an account that was we in the affected group. The reason we didn't list each and every details the breech is simply that there were 3,200 accounts affected and to list the information against each account would have been a further disclosure of information that as you may imagine, we are seriously trying to control. you have the contact details of all the affected customers.

You could have emailed just those affected customers and told them as it seems you're required by Australian privacy law to detail each and every item that was stolen, each of personal identifiable item. Instead, the decision was made to release an email communication as soon as possible in their responder clients more specifically upon their response. Yes, you did. But then when I asked for specific things, you still didn't tell me what feel exactly what feels like to go into my account and actually look at all the stuff that I entered when I actually signed up for the thing to find out and there's probably more than that that's not showing up on the accounts field.
They do finally admit it. We are very aware of the effects of identity theft and are trying to assist clients as much as possible. If you believe there is anything, they were able to help you, please let me know and I will do what? I am able to thank you very much. They're very responsive and kind at the Perth mean I Must admit, they've been.

You know they are pretty good up to that point. and of course, a sadly predictable our response from the media here. in terms of this: Yes, they did report on it, but really, it's just regurgitating their blurb right. If there's just nothing, there's no questions being asked anything like that.

it's just all the same. it's all the same crap. they just re good st.. but he odd, doesn't he look smart? It's just all the same.

Like anyway. so I decided to ask them some questions. Some you know, real journalistic questions as you should. So these are the questions I sent to the people who were previously very responsive to me.

but I said right. I'm in journalist mode now. please answer these questions I Know you are not willing to name the third party company involved, but are you able to say the type of company that was involved eg. given that you said was a breach of a 2016 database Was it the backup data provider? A server host provider for example - Are you able to comment and why this third party was required to hold or access this information? 3 Are you discontinuing the use of this third-party service provider for was the personal information stolen encrypted? If not, why not? If yes, Was the encryption broken or otherwise circumvented, Or did the Feith have authorized access to the data as an employee of the third party company were depository customers deliberately targeted? Does the Perth Mint use third-party providers for other customers? If so, will the Perth Mint be re-evaluating their stance on using third-party providers for the handling of personal data in the future? Your prompt answer these questions would be appreciated, even if it is no comment.

Guess which option? they decided on Surprise Surprise. They fob me off to a third party ironically because I can't handle this in their house just like their privacy like Marketing Communications Crisis Manager company. So I Got this email back from the Director of Media Strategy at Cannon Purple Strategic Communications Hi Dave Thanks for getting in touch. Please see attach to media release Alton announcing details around the data breach and 3200 blah blah blah.

That's it. And it's the standard media release that's on the website. They wouldn't answer a single one of those genuine questions. Unbelievable.

I Just lift up the right, just sweep it under. It'll just pass it. You know, a couple of days it'll pass the news cycle crisis averted and it's just the same crap we've heard before. And here's the the steps they tossed launched a forensic investigation.
Wank Wank notified all affected customers via email, except when you probably breach the privacy laws by not fully disclosing everything. Set up a dedicated phone line. Notify the office of the Australian Information Commissioner, which they are required to do by law whether or not they're gonna do anything. Dad, slap on the wrist, notify the Western Australian Police in the Australian Federal Police good Anya What about notifying us of everything and you might be wondering why people would have to provide so much information like passport and driver's license and other identifying important identifying documents for something like this? Well yeah, the Federal Government to think for that.

Under the Federal Government Anti Money Laundering and Counterterrorism Financing Act of 2006, Under the Australian Transit the Austrack it's called the Austrack Reporting Requirements. Any company dealing with monetary items, financial services, precious metals, currency exchange houses that are use and anything to do with cryptocurrency. any like online crypto currency trader that deals in Australia must follow these Austech requirements and they have to gather all this information. In fact, some of the crypto companies make you hold up a sign like a handwritten sign with the photo of your ID to make sure it matches to these reporting requirements and it basically says that if you transact over five thousand dollars, well, you could be a terrorist or a money launderer.

oh I've got to stop him so ya know you can't buy anything legit over five thousand dollars here in Australia No, just take me away in handcuffs now. I'm obviously a criminal and I found this also with my currency exchange house that I use I buy as you know I buy lots of stock and stuff from overseas and these are really big value stuffs I've got a convert into US Dollars and then I've got to convert that a good rate send overseas and every time I do that, especially the for the very large value transactions I've got to prove time and time again not only Who I am and why I'm doing this, but also the source of the funds as well. It's ludicrous. Not a freaking business and coming soon in Australia we won't be able to buy anything over $10,000 in cash because we're obviously criminals.

If you pay that sort of money in cash, you've got to be a criminal. Now you've got to be working in the black market economy and all that sort of stuff. Great. So what a monumental screw-up I Know this sort of stuff happens all the time and everyone's gonna go.

Me: So what? No big deal? Hmm everyone I know is that their personal data stolen? What's the big deal? It's common as mud. Well, the problem is, this should be preventable trust in third parties like this when I'm sure they could have easily handled this sort of stuff in-house This is not some, you know huge high-volume thing. it's just the Perth Mint They could have dealt with this in-house kept their own in-house security, and because that's a government agency, you expect better. But that's probably a dumb thing to expect right that the government going to do things right? anyway.
I Just had to make this video to just make people aware that this stuff is still happening and it's happening to government organisations as well and hopefully keep putting pressure on governments and other businesses that data security is really important and there can be a huge flow on effects when the data is breached. Personal Information People's information security is huge these days. Identity theft is a really big thing. Completely screw people's lives up.

so if you liked that video, please give it a big thumbs up. If you've been had your identity stolen or personal information data breach like this, leave it in. The comments are on the Eevblog forum thread for this video down below. Let us know all about it, so catch you next time and let's have a slow clap for mister deer-in-headlights here, huh? Well done, you.


Avatar photo

By YTB

25 thoughts on “Eevblab #52 – my personal data stolen from the government!”
  1. Avataaar/Circle Created with python_avatars Pavle Pavlovic says:

    Apollo rocket in the back , APOLLO DATA TAPES 100 000 OF THEM ARE ALSO STOLEN , what a coincidence . Well deleted ,same thing , data is lost . Why would anyone secure that data , when modern kid could look up in that and find 1000s of scams using modern computers . That is why its deleted . And i guess similar happened here , there is a World War going on but its Financial currently , if you can remember TRAMP and its import TAXES , and things , its WAR. I think , this has to be a part of that ,how i dont know . Im pissed of by modern DATA taken on you from every single device, when internet of things goes On they will know when you take a shit .

  2. Avataaar/Circle Created with python_avatars jburdman7 says:

    Why should the government protect your data? The bigger the disaster the government's one-stop thief-shop the database is of your identity documents, the quicker the sheep will be begging to have tracking chips implanted. No worries if they lose your money. They are fully backed by the government! A full disclosure just might mention that the government is fully backed by YOU.

  3. Avataaar/Circle Created with python_avatars Mike Whit says:

    Notice we never had breeches back in the old paper world unless the employee was the one doing it. We have put to much trust in a system that is never going to be 100% secure. Paer sure looks great.

  4. Avataaar/Circle Created with python_avatars DynV says:

    I'm sure they'll compensate anyone that has their identity stolen and either is defrauded because of it or need to take preventative action against it. @.@

  5. Avataaar/Circle Created with python_avatars Richard Smith says:

    By third party, they mean they used a bad password and their external server was breached, but they blame the cloud provider.

  6. Avataaar/Circle Created with python_avatars Mr Mobodies says:

    The microphone on his shirt is going up yours!

  7. Avataaar/Circle Created with python_avatars Mr Mobodies says:

    I see scruffy Dick wears microphone but no tie.

  8. Avataaar/Circle Created with python_avatars Tiavor says:

    IDIOTS, why don't they send their data encrypted to the 3rd party provider? It's not the problem of that 3rd party to have it encrypted in the first place.

  9. Avataaar/Circle Created with python_avatars dlarge6502 says:

    Sounds like you need GDPR! That would stop them getting away with ignoring the data loss over the "safety" of your funds.

  10. Avataaar/Circle Created with python_avatars Mike Ehrmantraut says:

    Their response was infuriating to listen to, had a good laugh at the CEO deer in headlights comment haha

  11. Avataaar/Circle Created with python_avatars Grzegorz Ignatowicz says:

    I would assume, that if the data was held in house the breach would be just as likely, but the detection of it happening – not so much.

  12. Avataaar/Circle Created with python_avatars ReadTheShrill says:

    "No threat to your account holdings". Except that an attacker now has all the information he/she needs to convince the depository that he/she is the depositor, and therefore could drain the account holdings at will.

  13. Avataaar/Circle Created with python_avatars Edd The Duck says:

    Dave your a total prick, you got no money to loose lol

  14. Avataaar/Circle Created with python_avatars Nigel Hungerford-Symes says:

    Have a chat to a lawyer to see what rights can be enforced.

  15. Avataaar/Circle Created with python_avatars jesterof84 says:

    Im a member of the 179 Million people Equifax Data Breach at least I haven't given my DNA to a genetics company for them to then sell my genetic profile to a pharmaceutical company …..

  16. Avataaar/Circle Created with python_avatars Wkterr says:

    It's bullshit that they can't reveal who the 3rd party is for "security reasons". That's the opposite of security. That's actively doing harm to your customers by denying them the opportunity to protect themselves from the offending party.

  17. Avataaar/Circle Created with python_avatars Pașca Alexandru says:

    BTW, I'll say this separately: Third party for govs means cousins, ants, brothers in law and other family companies.
    This way you get public money in private hands. 😉

  18. Avataaar/Circle Created with python_avatars Pașca Alexandru says:

    eggspetrs

  19. Avataaar/Circle Created with python_avatars Tripcore says:

    They are criminals

  20. Avataaar/Circle Created with python_avatars Daniel Lopez says:

    Ooh damn…

  21. Avataaar/Circle Created with python_avatars David Byrne says:

    You guys need to get some GDPR. Securing the data in the first place is time consuming. Yeah you know me , im not down with DLP. Island hoping aka gaining access via a third party is very common place. 4% of they're national Gross would have to be paid up if it was in Europe.

  22. Avataaar/Circle Created with python_avatars SimonSez says:

    What do you have against computer forensics?

  23. Avataaar/Circle Created with python_avatars Moon Moon says:

    I work*ed* in IT and burned out before I ever got started, because the industry is so full of bullshit, no one gives a fuck, and frankly, everyone thinks they’re hot shit until they get bitten in the arse. It’s the single most egomaniacal industry I have ever witnessed in my 25 short years. This shit happens all the time. The details that are not said, provide more information than what is said. I wouldn’t be surprised if the breach was a database backup shoved into a sysadmins Dropbox with no 2FA. This happens.

    I know that database will have been plain text, with hashed passwords, because this is the industry standard, and they indirectly, unknowingly confirm this. Fuck a key, I can’t boast about my access times if I encrypt everything. Everything stolen except passwords? Everything else is in plain text. I would bet my career on it.

    I’m desperate for a job right now, but I’m not going back into IT. The entire industry and everyone in it can all go fuck themselves. I will order some popcorn and a lawn chair and watch as the industry burns to the ground.

    I love technology, but I can’t stand IT. I wonder if there are greener pastures in electronics or engineering.

  24. Avataaar/Circle Created with python_avatars ats89117 says:

    Does this have anything to do with you being a shill for the CIA? 😀

  25. Avataaar/Circle Created with python_avatars Evo Labs says:

    I know in NZ, government departments are essentially mandated to outsource as much as possible to increase the 'velocity' of the money supply – probably similar in Australia. Those third party providers of course want to maximise profit and therefore cut corners to do so.

Leave a Reply

Your email address will not be published. Required fields are marked *