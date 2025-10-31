Privacy Commissioner Carly Kind has found online wine wholesaler Vinomofo Pty Ltd interfered with the privacy of almost a million individuals by failing to take reasonable steps to protect the personal information it held from security risks which ultimately led to a data breach.

This represented a breach of its obligations under Australian Privacy Principle 11.1 of the Privacy Act, the Privacy Commissioner’s determination stated.

In 2022 Vinomofo experienced a data breach that occurred amid a large data migration project. The data breach resulted in unauthorised access to its customers’ personal information. At the time of the Incident, the database held approximately 17GB of data, which included the personal information of approximately 928,760 individuals (customers and members) comprising identity information such as gender and data of birth, contact information and financial information.

The Privacy Commissioner observed that Vinomofo’s culture and business posture failed to value or nurture attention to customer privacy, as exemplified by failures regarding its policies and procedures, training, and cultural approach to privacy, in concluding Vinomofo contravened the Privacy Act.

“The respondent was aware of the deficiencies in its security governance and that it needed to uplift its security posture at least 2 years prior to the incident,” Commissioner Kind said.

Commissioner Kind said the determination provides a clear application of APP 11.1 in the context of data migration projects, and in particular speaks to entities’ obligations when using cloud infrastructure providers to house personal information.

The Commissioner concluded that the totality of steps taken by the respondent were not reasonable in the circumstances to protect the personal information it held from misuse, interference and loss and unauthorised access, modification or disclosure.

The Commissioner made a number of declarations stating the respondent must not repeat or continue certain acts and practices.

The full determination can be accessed on Austlii.

