Schneier on Security

A blog covering security and security technology.

« Yet Another Redacting Failure | Main | Ignoring the "Great Firewall of China" »

June 27, 2006

Employee Theft at Australian Mint

You'd think a national mint would have better security against insiders.

But Justice Connolly also criticised security at the mint, saying he was amazed a theft on this scale could happen.
The court heard Grzeskowiac, 48, of the southern Canberra suburb of Monash, simply scooped coins from the production line into his pockets before transferring them to his boots or lunchbox in a toilet cubicle.

Over a 10-month period he walked out with an average of $600 a day.

Justice Connolly expressed astonishment that the mint's security procedures were so lax.

"I find it hard to believe that 150 coins could be concealed in each boot and a person could still walk through the security system," he said.

Justice Connolly also said he was amazed the mint could give no indication of just how many coins had actually gone missing.

"I would like to think those working at the other mint factory printing $100 notes might be subject to a better system of security," he said.

Posted on June 27, 2006 at 7:45 AM • 26 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

dm • June 27, 2006 8:27 AM

I remember reading about this a few months ago. I too was very surprised at how easy it was to steal.

Clive Robinson • June 27, 2006 8:28 AM

Back when Sir Isac Newton (who invented the milling on coins) was in charge of the Royal Mint in England, they had an interesting set of rules to deal with theaft etc.

1, An employee who was caught stealing got executed the most painfull way (Hang drawing and quatering) which was usually reserved for trators.

2, The employee's supervisor was publicly Gelded and Gouged, a delightfull little punishment that involved having one's testiculs pulled (not cut) off and one's eye's pulled (again not cut) out. This was the punishment usually reserved for stealing the King's deer, very suprisingly a number of people did survive it...

Ah the old days where best...

Jungsonn • June 27, 2006 9:00 AM

"...I would like to think those working at the other mint factory printing $100 notes might be subject to a better system of security..."

Another great example of the law of great numbers through the small numbers.

Stu Savory • June 27, 2006 9:55 AM

FWIW : Back on 6th of march I blogged about the mint at Stolberg in Germany, 500 years old, and some of the security measures taken even then. If you are interested, the URL is
http://www.savory.de/blog_mar_06.htm#20060306

radiantmatrix • June 27, 2006 11:08 AM

$600 a day? That's a hell of a slice of Salami. At the US coin Mints, they warn employees not to carry change into the mint, because they won't leave with it -- there are very sensitive metal detectors that all employees pass through on the way out, and if you have so much as a penny on you, you'll give it up to the mint.

And that's just what they show you on the tour...

Saqib Ali • June 27, 2006 12:09 PM

http://digg.com/security/...
says
** 78% of the world's top 100 financial institutions reported a security breach in the prior year from the outside, 49% from the inside
** top 2 insider beaches were: insider fraud (28%); and leakage of customer data (18%).
* 70% of movies released illegally to file sharing networks were done by insiders at the companies.

Rob Mayfield • June 27, 2006 4:40 PM

It's not that surprising, though it should be.

Note that from the story it appears that the mint never actually woke up to the problem themselves; local businesses became suspicious. I guess it would seem odd to be buying a new TV or putting 100$ of petrol into your car with the sole method of payment being freshly minted $2 coins.

As for internal verses external threats generally - it wouldnt surprise me if instances of the former exceed the latter by an order of magnitude for a number of reasons - generally employees arent trained on what is appropriate behaviour and what is not; are trusted; have freedom of movement; arent audited or searched; arent monitored and most of all their super's/managers arent prepared to take part of the blame when holes/events are exposed. You'd also imagine employees are the most likely group to have a motivation for wrongdoing that extends beyond the financial dimension, as was the case in this story. Obviously there are exceptions to these where security is taken seriously. You'd think a mint would be one of them.

roy • June 27, 2006 5:33 PM

One of the impediments to implementing real security is that the bosses don't trust themselves (or each other) not to steal small stuff -- office supplies and such.

Richard • June 27, 2006 8:06 PM

50 years ago my grandmother used to work at a Cailler (now Nestle) chocolate factory in France that had better security! One woman was caught stealing chocolates by hanging a bag under her skirt.

Filias Cupio • June 27, 2006 10:00 PM

You mean, the mint is less secure than the mint chocolate?

Filias Cupio • June 27, 2006 10:16 PM

He missed an obvious trick: the loot could have been easily laundered through casino poker machines. This turns new coins into old (with the casino taking a cut) and then the casino will not question you exchanging a couple of thousand dollars of used coins for paper money.

(For that matter, I've deposited over $3000 in quarters at one go, with no question from the teller other than an anguished "why me?". It was, however, into a non-personal account.)

ashtray • June 27, 2006 10:21 PM

The judge is probably good at his job, but I am glad that he is not in charge of security of the currency, since he does not know how or where it is produced. $100 notes are produced in Victoria by Note Printing Australia, which is owned and run by the Reserve Bank of Australia, which is a (mostly) autonomous body. Coins, on the other hand, are produced in Canberra at the Royal Australian Mint, which is operated by the Federal Government (via the Department of the Treasury, I believe). So the security measures are completely different. It does not suprise me that the one operated by the politicians had the poorer security. And NPA does at least have "dual custody" rules in place, although I have no idea how well they are enforced.

Matthew • June 28, 2006 2:38 AM

@Richard:

I'm suprised the chocolate factory were your grandmother worked even tried to prevent theft. I have a friend who works in a chocolate factory and the policy there is that an employee may _eat_ as much chocolate as they want, but not take it out of the factory. As a result, all new employees spend their first day on the job stuffing themselves with chocolate and making themselves sick. After the first day they never want to eat chocolate again, and guess what? this factory has very little problem with theft.

MartinBuden • June 28, 2006 3:56 AM

But security is a trade-off between the cost of the security breach and the cost of the security measures.

Perhaps the mint did a thorough threat analysis, taking into account the number of employees with access to the coins, the maximum weight/volume of coins they could carry out in a day, and the expected proportion of dishonest employees. They did the maths and it worked out the expected "leakage" was less than the cost of the security measures (buying metal detectors, having security guards to staff them etc)...

Arturo Quirantes • June 28, 2006 5:10 AM

@MartinBuden

Bruce wrote about a similar subject in his book "Secrets and Lies", concerning Iran's state-of-the-art, made-in-USA bill-printing machine. Looks like the ayatollahs decided it would be more profitable to print $100 bills than their own currency. Some people in the US were alarmed because Iran's prints could make virtually perfect US bills. But someone calculated just how many bills Iran could print, and decided that it would not threaten economic stability.

Both are good examples of "security through inaction". That is, if it's broke but takes more money to fix it than not, just leave it alone. The banking industry has long learned that. They know that the prize of securing credit-card transactions are much higher (both in terms of lost money and of lost credibility), so they don't try hard.

Of course, that is easier to implement in the private sector, where income and expenses have to be taken into account. No government official could say something like "yeah, we should put more security measures in that metro station, but it would be cheaper to rebuild it should something go wrong"

MartinBudden • June 28, 2006 5:27 AM

I wasn't seriously suggesting that the Australian mint actually did this threat analysis. I almost added a statement "Or perhaps they were just stupid" to my comment, but I thought it more humourous without the qualifier. Of course, Occam's razor tells us that they were just stupid.

Brian • June 28, 2006 8:16 AM

I worked at a chocolate factory too one summer. We were not allowed to eat it on the line, but were able to eat the duds. As for getting sick of chocolate, forget it! I loved it and even bought huge quantities from the company store (at cut rate prices) at the end of the summer to keep me going over the next year in university.

Peter • June 28, 2006 8:32 AM

I used to ride the bus with a couple folks that worked at the Denver Mint. If they brought more than a certain amount of currency with them (I think it was about $20), they had to leave it with a supervisor, who had to fill out paperwork and lock it up outside the working area. Even with all that, at least once per year, someone got busted trying to smuggle cash out, sometimes using hollowed out radio/mp3 players.

Luke Gilliam • June 28, 2006 3:54 PM

"The employee's supervisor was publicly Gelded and Gouged"

This sounds like strong encouragement for a supervisor to collude with guilty employees or suppress evidence of their crimes.

Roger • June 28, 2006 8:46 PM

Regrettably the Australian Government has a long history of not taking security seriously. Project Venona showed that Australia was one of the GRU's favourite shopping places, not because we had any of the really good secrets but because we leaked the ones did have.

And now Australia is trying to insist that the US share stealth technology if we are going to buy some JSFs. Note to US: don't tell us. We will leak it.

EZA • July 25, 2006 12:49 AM

U really need to have when the money first got printed!!!!! >:(

\/|[<>*lachlan*<>]|\/ • August 27, 2006 6:55 PM

i am doing a project about money can you help me with some questions.

how do you get a job with the australian mint?
how much money does it take the government to make money?

How much is Australian money worth in other countries e.g Africa china Italy?

ya mum! • September 17, 2006 9:31 PM

suk mE! MWHAHAHAH!

Ashleigh • March 2, 2007 8:59 PM

how much $1.00 Australian is worth in French currency

Yousef Salem • October 31, 2007 12:22 PM

Bruce, can you supply me with information regarding Iran allegedly purchasing a US-made state-of-the-art paper currency printing machine? Is this fact or myth? If fact, how can I get the all the infornmation pertaining to that purchase? This is quite urgent. I need it for a proposed ink article and op-ed piece.

Regards,
yousef_salem@juno.com

Yousef • November 7, 2007 1:45 PM

CAN YOU KINDLY REPLY TO MY REQUEST? THANX

Regards,
yousef_salem@juno.com

Posted by: Yousef Salem at October 31, 2007 12:22 PM

Post a comment

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

Subscribe via Kindle

Blog Menu

Search

Powered by DuckDuckGo

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D