See story update below
The Office of the Australian Information Commissioner (OAIC) has determined that Vinomofo Pty Ltd, an online wine retailer, did not take adequate measures to protect the personal information of nearly one million individuals, leading to a significant data breach.
The investigation, led by Privacy Commissioner Carly Kind, concluded that Vinomofo breached its obligations under Australian Privacy Principle 11.1 by failing to implement reasonable security controls.
The OAIC’s review identified that Vinomofo’s approach to privacy governance was lacking, with shortcomings in internal policies, staff training, and the overall organisational culture regarding privacy.
These deficiencies were found to have contributed to the company’s inability to prevent the breach.
“The respondent was aware of the deficiencies in its security governance, and that it needed to uplift its security posture at least two years prior to the incident,” Kind said. The commissioner’s determination emphasised that organisations must ensure robust protection of personal data, especially when using cloud infrastructure and undertaking data migration projects.
The breach occurred in 2022 during a large-scale data migration. At the time, Vinomofo’s database contained approximately 17GB of information, including records for about 928,760 customers and members. The compromised data included personal identifiers, contact details, and financial information.
The OAIC found that, while Vinomofo had some security measures in place, certain reasonable technical and organisational steps required under the Australian Privacy Principles were not in effect at the time of the incident.
The commissioner concluded that the steps taken by Vinomofo were not reasonable in the circumstances and did not adequately protect against unauthorised access, loss, or disclosure of personal information.
As a result of the findings, Vinomofo has been directed to cease the practices that led to the breach and to avoid similar conduct in the future.
Separately, the OAIC has launched a new Notifiable Data Breaches (NDB) statistics dashboard, providing interactive access to breach notification data.
The dashboard is designed to help organisations, including those in the insurance sector, analyse trends and benchmark their own incident responses.
Updated biannually, the tool offers insights into the types and frequency of data breaches reported since the NDB scheme began in 2018.
Kind commented: “Our goal for the new NDB dashboard is to help reporting entities learn from the experiences of others – those organisations and agencies who have had to notify us of a data breach. We hope the tool is used to improve their own responses and reporting if a data breach occurs.”
For the first half of 2025 (H1 2025), the OAIC received 532 notifications of data breaches, a 10% decrease from the previous six months.
Malicious or criminal attacks accounted for 59% of reported breaches, with the health sector experiencing the most incidents (18%), followed by finance (14%) and government agencies (13%).
The period also saw an increase in breaches attributed to human error, which made up 37% of notifications, up from 29% previously. The average number of individuals affected by cyber incidents was just over 10,000.
Kind highlighted the persistent threat environment. “The threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish, so we want to arm entities with data to help them keep personal information secure and to ensure they have an appropriate action plan should a breach occur,” she said.
Following the publication of this story, Vinomofo reached out with a statement.
Attributed to a spokesperson for Vinomofo:
Vinomofo acknowledges the determination of the Office of the Australian Information Commissioner (OAIC) following its investigation into our personal information handling practices, relating to the 2022 cyber security incident.
While the OAIC recognised that we had a range of technical and organisational security measures in place at the time of the incident, the determination outlines steps for us to further strengthen our information security and governance practices.
We accept the OAIC’s findings. We thank the OAIC for its consideration and remain fully committed to working constructively to implement all required actions.
We have also taken steps to further strengthen our information security environment, governance and staff training since the incident. We will continue to do so in line with Vinomofo’s spirit of continuous improvement as a business.
We understand the importance that our customers place upon their personal information, and the protection of their information and privacy is always our utmost priority.
