An investigation into Vinomofo Pty Ltd1 by the Office of the Australian Commissioner (OAIC) sends a strong message to Australian businesses: Cyber audit reports are not optional reading, nor are their recommendations discretionary.
Cyber risk audits are critical instruments of risk management and failure to act on them can result in significant regulatory and financial consequences.
The investigation, led by the Privacy Commissioner concluded that the online wine wholesaler, Vinomofo, breached its obligations under Australian Privacy Principle 11.1 by failing to implement reasonable security controls.
It is the second decision in as many weeks that discusses what is considered ‘reasonable steps’ to protect personal information under the Privacy Act (the Act).
Details of the breach
The breach in question exposed the personal data of approximately 928,760 customers. This data included personal identifiers such as names, email addresses, and dates of birth, as well as financial information.
The data breach first came to light in 2022, after some of the stolen data appeared on a Russian cybercrime forum. Vinomofo initially downplayed the incident before a further investigation revealed it had transferred some data to a testing platform that had been stolen, and subject to a ransom attack, then subsequently released onto the dark web. According to the Privacy Commissioner the data security failings include having a database that was not isolated from the internet, having no firewall in place, and no encryption.
“The respondent was aware of the deficiencies in its security governance and that it needed to uplift its security posture at least two years prior to the Incident,” said the Privacy Commissioner, Carly Kind. Further to this, particular emphasis was given to the failures in Vinomofo’s cultural approach to privacy, anecdotally referring to its own Privacy Policy under the title ‘the boring stuff’ as well as its training, policies and procedures.
Inaction was an unreasonable failure
Vinomofo had previously conducted a security audit however the company failed to implement many of the recommendations within that audit. Some of the issues outlined in the audit included, that formal security policies and procedures governing the respondent’s business operations did not exist. The audit outlined that the respondent did not have any policies or procedures documenting information security nor security roles and responsibilities, or the acceptable use of assets; privacy considerations were not implemented into strategic planning or operational making processes.
Directors must understand and act on cyber risks that could materially affect the organisation. If a cyber report identifies vulnerabilities or non-compliance, the board must ensure there’s a reasonable plan to address them.
Notably ASD ACSC recently released a practical guide for Cyber security priorities for boards of directors 2025-26 which can be accessed here.
Security best practice
We released our analysis of the ASD’s Cyber Threat Report here. Further to this, our Bellrock cyber risk assessment will support our clients to understand whether technology used or provided to your customers is secure by design and secure by default. These security principles and practices are critical for building modern defensible architectures.
A fundamental part of data security is implementing access controls that monitor activity and prevent detection through logs. According to Industry Standards, the minimum controls expected of an organisation include:
- Logging all events where a user is performing read, create, modify, or delete actions to databases containing personal information.
- Retaining event logs for a minimum of 1 year.
- Storing event logs in a centralised and secure information system.
As the Vinomofo case highlights, security policies and practices are only effective when they are followed by employees. Security governance arrangements should include appropriate training, resourcing and management focus to foster a privacy-and security-aware culture.
Insufficient interest in personal information security from staff, in particular senior management, can lead to threats to the security of personal information being ignored and not properly attended to.
Lastly, cyber audits cannot be conducted simply as a “tick box” exercise. This case reinforces the importance of integrating cyber audit outcomes into enterprise risk management frameworks and tracking the process through to resolution. Where recommendations are deferred or rejected, there should be documented justification and alternative mitigation strategies.
Oversight of third-party vendors
The OAIC’s ruling also sends a clear message about applying appropriate security controls to its cloud infrastructure. The database was provided by AWS Relational Database Service, operating within the AWS cloud environment and was used as a temporary migration database.
Vinomofo’s configuration of the database was poor in that it:
- Was not hosted on a Virtual Private Cloud or isolated from the internet.
- Did not have a firewall in place.
- Did not have encryption enabled.
The reason this occurred was due to the legacy nature of the AWS account, which did not have a VPC as default when it was created in 2012. The lesson here is that failing to update legacy cloud infrastructure can lead to critical security gaps that put personal information at risk.
Conclusion
The OAIC’s ruling ordered Vinomofo to issue a public apology as well as improve its data security practices and provide compensation to affected individuals. For Vinomofo, the reputational damage and regulatory consequences are likely to linger for a significant period.
1 Commissioner Initiated Investigation into Vinomofo Pty Ltd (Privacy) 2025 AICmr 175, 17 October 2025
