Peter A Clarke

Data breaches, at least the one’s reported, are invariably the result of a cyber attack or phishing. The analog variety are much less common than they were a few decades ago, when I started practising privacy law. Back then data breaches commonly involved records stored in filing cabinets offered for sale or disposal, documents left in the street for recycling, folders of documents taken by disgruntled employees or files left in cars. There was some digital records stolen but that was usually lap tops left in or stolen from places. It was much too hard to exfiltrate masses of data over telephone lines and many records were not on line. That is not to say that analog data breaches don’t occur today. I receive calls about paper form customer lists taken from companies or mail taken from letter boxes. But the data breach suffered by Mercer Super is very unusual. Mail posted to Mercer and collated and placed in its GPO Box at Australia Post Melbourne GPO was targeted by thieves who broke into the GPO. Four times! It is reported by the ABC in Mercer Super reports security breach after Australia Post Melbourne GPO mail theft. Official correspondence and forms completed by clients to Mercer would contain considerable amount of personal information not to mention details of customer accounts.  That can be used for identity theft but also trying to access super accounts which contain considerable sums of money as we have seen from recent cyber attacks on Australian Superannuation funds.  

Theft of mail used to be a very lucrative target for criminals.  Cash, cheques, money orders and securities were transported via mail.  The Great Train Robbery of 1963 involved the theft of £2.61 million from the Royal Mail train on the Glasgow to London run. That haul is worth 62 million pounds today.  Private security vans took over from mail vans and trains and now money is transferred digitally.  

The Australia Post has issued a media release where they say the break ins occurred within the mezzanine area of the Melbourne GPO Box Room in Bourke Street between 6 and 17 July 2025. The thieves were after letters not parcels, which are tracked. It has been repored by the AFR with Post office burglaries spark super fund security alert, Super fund’s warning to customers after post office break-in, Sky’s Major super fund issues alert to customers after mail stolen from Australia Post Melbourne GPO in string of break-ins.

Even though the cause of the data breach can not be blamed on Mercer Super it is important for it to have a viable and effective data breach response plan.  Given the spate of recent attacks on super funds one would have thought it had such a plan.  The question of determining whose personal information has been stolen may be complicated.  Complicated but possible.  Mercer would have a register of mail sent and have a reasonable idea of correspondence it is expecting, such as expected completed forms. But it would necessarily be an incomplete exercise.  The judgment then is how wide does the notification need to go?  That is where a careful consideration of the facts is required.  

The Australia Post media release provides:

The ABC story provides:

A superannuation fund does not know how many members have been affected after mail was stolen from Australia Post in Melbourne’s CBD.

In an email sent on Wednesday, Mercer Super, which also operates Virgin Money Super, said the breach affected members who posted mail to its Melbourne GPO Box Centre located at 380 Bourke Street between July 1 and 17.

Mercer Super said it did not know the exact number of members who had been impacted by the theft, but said customers who sent mail during that period should get in contact.

The superannuation fund has more than 1.1 million members, according to its website.

“If no information was posted to us in July, there’s no need to take any action,” it said in an email to members.

It told customers to be alert for suspicious emails, calls or messages, and to not share personal or financial information unless certain of the source.

The fund does not believe the incident has impacted members’ accounts so far.

“Currently there is no indication that any members’ personal information has been published externally or sold as a result of this incident,” the Mercer Super website said.

The fund also said it had enhanced its security processes to further protect members, and has contacted the Australian Information Commissioner and the Australian Prudential Regulation Authority (APRA).

Investigation continues into post office box break-in

The offenders allegedly broke into the mezzanine area of the Melbourne GPO Box Room four times between July 6 and 17, an Australia Post spokesperson said.

“The offenders were able to force entry into a back-of-house area used for sorting mail and distributing letters into PO Boxes on three occasions, and on the fourth, left immediately when deterred by additional security measures,” the spokesperson said.

“The offenders caused significant damage on entry into the facility, which was promptly repaired, and additional security measures were put in place after each break-in.”

The spokesperson said letters were not tracked, unlike parcels, and Australia Post has been unable to identify individual mail or boxes targeted by the offenders.

Australia Post said it had increased security at Bourke St, including after-hours security in the Post Office Box Room.

“Plans are well underway for this facility to move to a new, nearby custom-designed facility next month,” the spokesperson said.

Australia Post customers with PO boxes at 380 Bourke Street have been notified via letters to their boxes that their boxes will soon be moved 100 metres away to 385 Bourke Street.

No arrests have been made and Victoria Police says the investigation is ongoing.

Victoria Police have also confirmed two men broke in to Tynong Licensed Post Office, south-east of Melbourne, on July 16.

“Cash and parcels were stolen before the offenders left the area,” a police spokesperson said.

Businesses urged to use registered post 

A spokesperson for federal Minister for Communications Anika Wells said the Bourke Street Australia Post thefts were “concerning”. 

“Investigations are ongoing but Australia Post has taken immediate steps to reinforce site security, including repairs, enhanced locking mechanisms, and the deployment of a security guard during non-staffed hours,” the spokesperson said.

“Australia Post has confirmed that no registered post items were taken.

“We are taking this matter seriously and encourage businesses to use registered post when sending items that require enhanced security, tracking and proof of delivery for customers.”