Australia Blasts Online Merchant for Poor Security Resulting in Huge Data Breach
Online wine wholesaler Vinomofo's failure to take reasonable steps to protect customers' personal information from security risks led to a data breach in 2022 affecting almost a million people, Australian Privacy Commissioner Carly Kind said Wednesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The company's "culture and business posture failed to value or nurture attention to customer privacy," DPA said, citing issues with its policies and procedures, training and approach.
The breach resulted in unauthorized access to nearly 930,000 customers' personal information, which, at the time, included gender, date of birth and financial information.
A DPA investigation found that the company's actions weren't reasonable to protect the personal information it held from misuse, interference, loss and unauthorized access and disclosure. Moreover, Vinomofo knew about deficiencies in its security governance, and it needed to upgrade security at least two years prior to the breach, Kind noted. As such, the investigation found Vinomofo violated the Australian Privacy Principle 11.1 of the Privacy Act.
As a result of its findings, the office ordered Vinomofo to bolster its data security. For example, within 90 days it must implement security logging in all Amazon Web Service’s environments that store personal information; and within 6 months hire a qualified independent reviewer, such as a privacy or cybersecurity expert, to assess the effectiveness of its actions.