Online wine wholesaler Vinomofo “interfered” with the privacy of almost a million individuals by failing to protect their personal information from security risks that led to a data breach, according to Privacy Commissioner Carly Kind.
This was a breach of its obligations under Australian Privacy Principle (APP) 11.1 of the Privacy Act, the Commissioner determined.
The breach in September 2022 was of a Vinomofo database holding personal information of about 928,760 customers and members.
At the time of the incident, the database held approximately 17GB of data, including identity information such as gender and date of birth, contact information including names, email addresses, phone numbers, and residential addresses, and sales order histories and invoice information.
The breached database was a PostgreSQL “temporary migration database” hosted on AWS’s Relational Database Service.
Vinomofo had transferred personal information to it to facilitate an upgrade of its customer data management system, which involved migrating data from its legacy environment to a new system.
On 25 September 2022, an unauthorised third party accessed and exfiltrated data from the database. Vinomofo notified the OAIC of the breach on 17 October 2022.
The company was asked for a ransom payment and the data was posted for sale on the dark web on 16 October 2022.
In response to Vinomofo's data breach notification, the OAIC made preliminary inquiries resulting in concerns about Vinomofo's privacy practices. In April 2023, the former Australian Information Commissioner commenced an investigation into Vinomofo’s compliance with APP 11.1.
Commissioner Carly Kind said the decision clarifies how APP 11.1 applies to data migration projects, particularly regarding entities’ responsibilities when using cloud providers to store personal information.
“The respondent was aware of the deficiencies in its security governance and that it needed to uplift its security posture at least two years prior to the incident,” Kind stated.
Security controls found lacking
Vinomofo went "some way" to taking the "reasonable steps" required by Australian Privacy Principles, Commissioner Kind acknowledged.
But in her view that wasn’t enough, considering the information, Vinomofo’s resources at the time, and the risk if the data was breached.
She flagged Vinimofo’s “limited ability to monitor, detect, be alerted to, respond to and record security threats, unauthorised access or suspicious activity occurring on the database.” The breached database did not have logging enabled, she noted.
Another concern was that Vinomofo did not apply access monitoring controls to the AWS environment where the database was stored.
The Commissioner also noted that at the time of the incident, the Vinomofo database was “poorly configured and was not hosted on a VPC or isolated from the internet; did not have web application firewall in place, and did not have encryption enabled.”
The database was created outside of a virtual private cloud due to the legacy nature of the AWS account, which did not have a VPC as default when it was created in 2012.
Culture and governance issues
The Commissioner also found Vinomofo’s “culture and business posture was not one that valued or nurtured attention to customer privacy”.
A 2021 security audit report stated that “formal security policies and procedures governing the respondent’s business operations did not exist”.
That report said Vinomofo “did not have any policies or procedures documenting information security, security roles and responsibilities, or the acceptable use of assets such as laptops, emails or passwords.”
She acknowledged Vinomofo’s “claim” it had an active IT policy at the time of the audit, and “affirmation that all staff were trained on data protection at the time of the Incident through the privacy training module delivered by ‘Safetrac’.
But in her view it was reasonable for Vinomofo to have implemented “documented practices, procedures and systems to ensure a consistent approach to the security of personal information.”
The Commissioner also criticised Vinomofo’s people and culture. She noted that at the time of the breach, the company’s management team responsible for cyber security was three people including the head of data and technology and head of engineering, who had no formal qualification or certifications in cyber security.
She acknowledged that COVID-19 impacted Vinomofo and prompted the urgent need to upgrade its telephone system to facilitate remote working.
But she maintained that there was an “unacceptable delay” in uplifting its security posture before beginning its data migration project and transferring data to the database.
Vinomofo was “aware of the deficiencies in its security governance and that it needed to uplift its security posture at least 2 years prior to the Incident.”
The company was “also aware of the areas where significant security risks existed that required urgent attention following the Security Audit Report which was issued a year prior to the incident.”
Orders and required actions
The Commissioner declared that Vinomofo must implement security logging in all of its AWS environments that store personal information; apply appropriate security access settings to any database that holds personal information; and implement systems or controls to monitor systems for signs of unauthorised activity.
Vinomofo must also implement written policies and procedures that meet the minimum-security baseline requirements as set out in the Industry Standards; engage an independent reviewer to review the adequacy of staff with cyber security expertise and address any shortcomings identified; and promote a privacy and security aware culture by implementing an appropriate training schedule for staff.
Within six months, Vinomofo must also engage an independent reviewer to review how effectively it has implemented these changes.
_(11).jpg&h=142&w=230&c=1&s=1)
.jpg&w=100&c=1&s=0)
_(8).jpg&w=100&c=1&s=0)
.jpg&q=95&h=298&w=480&c=1&s=1)
.jpg&q=95&h=298&w=480&c=1&s=1)
