A Perpetual spokesperson told Street Talk the incident had been assessed as a “non-notifiable” data breach in accordance with privacy regulations, as client details cannot be matched with bank account numbers, and that the letter, sent to around 40,000 active clients, was a proactive step in light of the “increasing threat of cybersecurity events”.
Street Talk understands Perpetual has been pressured by ransomware groups to pay to prevent its client’s data from being released online. A spokesperson said: “We have not engaged on a ransom.”
The breach follows an outage of its myPerpetual platform, which began on June 6, stemming from a security incident at its third-party-provided unit registry system.
The platform was disconnected following evidence of unauthorised access and an external forensic IT expert engaged to investigate whether any client information had been accessed, the letter said.
Fingers pointed to an issue at Tech Mahindra, an Indian tech firm that provides administration services for a range of Perpetual superannuation products including unit registry, client administration and insurance administration. Tech Mahindra did not respond to a request for comment.
While core systems have been restored and manual processing of client transitions has re-commenced, access to myPerpetual remains cut off and no timeline has neen provided for the resumption of service.
Perpetual customers who spoke with Street Talk expressed frustration about a lack of access to the platform, especially as the end of the financial year approached.
