Last week, the Privacy Commissioner found that Vinomofo Pty Ltd breached the Privacy Act following a major data incident. In 2022, a third party accessed and exfiltrated approximately 17GB of customer data during a platform migration project. Approximately 928,760 individuals were affected, highlighting significant gaps in Vinomofo’s data security and compliance.
The incident
Vinomofo’s challenges began in 2018 when it started moving customer data from legacy systems to a new platform. Personal information was temporarily stored in a migration database. In 2022, this database was accessed by an unauthorised party. The Commissioner found that Vinomofo did not take reasonable steps to protect personal information from misuse, interference, and loss, as required by Australian Privacy Principle 11.1. This principle requires organisations to implement both technical and organisational measures to safeguard personal data.
Key failings identified
The Privacy Commissioner highlighted several areas where Vinomofo fell short:
- Limited monitoring and detection: Vinomofo lacked adequate systems to monitor, detect, and respond to security threats or unauthorised access.
- Inadequate cloud security: The affected database was not hosted in a virtual private cloud, was accessible from the internet, and did not have a web application firewall or encryption.
- Cultural and procedural gaps: Policies, procedures, and training around privacy were insufficient, reflecting a broader organisational culture that did not prioritise customer privacy.
What should have been done?
The Privacy Commissioner outlined practical steps Vinomofo could have taken to better protect personal information:
- Enhanced security logging: Maintain comprehensive audit logs for all database activity, retain logs for at least a year, and store them securely.
- Stronger cloud controls: Host sensitive databases in isolated virtual private clouds, use web application firewalls, and encrypt all personal data.
- Proactive access monitoring: Implement real-time monitoring and alerts for suspicious activity, with immediate action on high-severity incidents.
- Robust policies and procedures: Document and regularly update internal security practices, and ensure these are followed in day-to-day operations.
- Building a privacy-aware culture: Provide regular training, resourcing, and management focus to foster a culture where privacy and security are taken seriously at every level.
What does this mean for your business?
This case is a timely reminder that compliance with the Privacy Act is not just about having policies on paper. Organisations must take a holistic approach, combining technical controls, robust processes, and a culture that values privacy. The reasonable steps required by APP 11.1 will depend on the volume and sensitivity of the data you hold, the nature of your business, and the potential consequences of a breach.
If your business is migrating data, using cloud services, or handling large volumes of personal information, now is the time to review your security controls, update your policies and practices, and invest in staff training. The cost of getting it wrong can be significant, not just in regulatory penalties, but in reputational damage and loss of customer trust.
Need help navigating your privacy obligations?
CIE Legal’s privacy and data protection team can help you assess your risks, update your policies, and build a privacy-first culture. Contact us to find out more.
