Australia’s Privacy Commissioner Carly Kind has issued a determination against online wine wholesaler Vinomofo Pty Ltd, finding the company interfered with the privacy of almost one million individuals by failing to take reasonable steps to protect their personal information from security risks.
The determination represents one of the most comprehensive applications of Australian Privacy Principle 11.1 (APP 11.1) to cloud migration projects and provides critical guidance for organizations undertaking similar infrastructure transitions.
The finding follows a 2022 data breach that occurred during a large-scale data migration project, exposing approximately 17GB of data belonging to 928,760 customers and members. The determination goes beyond technical security failures, identifying systemic cultural and governance deficiencies that Commissioner Kind found demonstrated Vinomofo’s failure to value or nurture attention to customer privacy.
The Breach: Migration Gone Wrong
In 2022, Vinomofo experienced a data breach amid what the company described as a “large data migration project.” An unauthorized third party gained access to the company’s database hosted on a testing platform, which, despite being separate from the live website, contained real customer information.
The exposed database held approximately 17GB of data comprising identity information including gender and date of birth, contact information such as names, email addresses, phone numbers, and physical addresses, and financial information. The breach initially came to light when security researcher Troy Hunt flagged the incident on social media, and subsequent investigation revealed the stolen data had been advertised for sale on Russian-language cybercrime forums.
Also read: Wine Company Vinomofo Confirms Data Breach, 500,000 Customers at Risk
The testing platform exposure reveals a fundamental security misconfiguration that has become increasingly common as organizations migrate to cloud infrastructure. Testing and development environments frequently contain production data but receive less rigorous security controls than production systems, creating attractive targets for threat actors who recognize this vulnerability pattern.
Vinomofo’s initial public statements downplayed the breach’s severity, emphasizing that the company “does not hold identity or financial data such as passports, drivers’ licences or credit cards/bank details” and assuring customers that “no passwords, identity documents or financial information were accessed.” However, the Privacy Commissioner’s investigation revealed more significant failures in the company’s security posture and governance.
Privacy as an Afterthought
Perhaps the determination’s most significant finding concerns Vinomofo’s organizational culture. Commissioner Kind concluded that “Vinomofo’s culture and business posture failed to value or nurture attention to customer privacy, as exemplified by failures regarding its policies and procedures, training, and cultural approach to privacy.”
This cultural assessment goes beyond technical security measures to examine the organizational prioritization of privacy protection. The Commissioner observed that privacy wasn’t embedded into business processes, decision-making frameworks, or corporate values—it remained peripheral rather than fundamental to operations.
The determination identified specific manifestations of this cultural failure:
Policy and Procedure Deficiencies: Vinomofo lacked adequate policies governing data handling during migration projects, security requirements for testing environments, and access controls for sensitive customer information.
Training Inadequacies: The company failed to provide sufficient privacy and security training to personnel involved in data migration and infrastructure management, resulting in preventable errors and oversights.
Cultural Approach: Privacy considerations weren’t integrated into strategic planning, risk management, or operational decision-making processes, treating privacy compliance as a checkbox exercise rather than a core business imperative.
Known Risks Ignored
The Commissioner’s determination revealed that Vinomofo was aware of deficiencies in its security governance and recognized the need to uplift its security posture at least two years prior to the 2022 incident. This finding transforms the breach from an unfortunate accident into a foreseeable consequence of deliberate inaction.
The determination states: “The respondent was aware of the deficiencies in its security governance and that it needed to uplift its security posture at least 2 years prior to the Incident.” This awareness without corresponding action demonstrates a failure of corporate governance that extended beyond the IT security function to board and executive leadership levels.
Organizations face resource constraints and competing priorities that can delay security improvements. However, the Commissioner’s finding that Vinomofo knew about security deficiencies for two years before the breach eliminates any claim of unforeseen circumstances. This represents a calculated risk—one that ultimately materialized with consequences for nearly one million customers.
The “Reasonable Steps” Standard
The determination centers on Australian Privacy Principle 11.1, which requires entities holding personal information to take “such steps as are reasonable in the circumstances” to protect that information from misuse, interference, loss, unauthorized access, modification, or disclosure.
The Commissioner concluded that “the totality of steps taken by the respondent were not reasonable in the circumstances” to protect the personal information it held. This holistic assessment examines not individual security controls but the comprehensive security program considering organizational context, threat environment, and data sensitivity.
The determination provides valuable guidance on how “reasonable steps” should be interpreted in the context of data migration projects, particularly when using cloud infrastructure providers. Key considerations include:
Cloud Security Responsibilities: Organizations cannot delegate privacy obligations to cloud service providers. While providers like Amazon Web Services (where Vinomofo hosted its database) offer security features and controls, customers remain responsible for properly configuring and managing those controls.
Testing Environment Security: Testing and development environments containing real customer data must receive security controls commensurate with the sensitivity of that data. The separation from production systems doesn’t reduce security obligations when personal information is involved.
Migration Risk Management: Data migration projects create heightened security risks during transition periods when data exists in multiple locations, access patterns change, and configurations evolve. Organizations must implement enhanced controls during migrations to address these elevated risks.
Awareness and Action: Knowing about security deficiencies creates an obligation to address them within reasonable timeframes. Extended delays between identifying risks and implementing mitigations may constitute unreasonable conduct under APP 11.1.
Shared Responsibility Misunderstood
The determination’s emphasis on cloud infrastructure provider obligations addresses a widespread misunderstanding of the shared responsibility model that governs cloud security. Cloud providers offer infrastructure and security capabilities, but customers must properly configure and manage those capabilities to protect their data.
Amazon Web Services, where Vinomofo stored the exposed database, provides extensive security features including encryption, access controls, network isolation, and monitoring capabilities. However, these features require proper implementation and configuration by customers. A misconfigured S3 bucket, overly permissive access policies, or inadequate network controls can expose data despite the underlying platform’s security capabilities.
The breach appears to have resulted from Vinomofo’s configuration and management of its AWS environment rather than vulnerabilities in AWS itself. This pattern has become common in cloud data breaches—organizations migrate to cloud platforms attracted by scalability and cost benefits but lack the expertise or diligence to properly secure their cloud deployments.
For organizations using cloud infrastructure providers, the determination establishes clear expectations:
Configuration Management: Organizations must implement rigorous configuration management processes ensuring security settings align with best practices and data protection requirements.
Access Controls: Cloud environments require carefully designed access control policies following least-privilege principles. The flexibility of cloud platforms can create excessive access if not properly managed.
Monitoring and Detection: Cloud platforms provide extensive logging and monitoring capabilities, but organizations must actively use these capabilities to detect suspicious activity and security misconfigurations.
Expertise Requirements: Securing cloud environments requires specialized knowledge. Organizations must ensure personnel managing cloud infrastructure possess appropriate expertise or engage qualified consultants.
The Remedial Declarations
The Commissioner made several declarations requiring Vinomofo to cease certain acts and practices, though specific details weren’t disclosed in the public announcement. These declarations typically include requirements to:
Implement comprehensive information security programs addressing identified deficiencies, conduct regular security assessments and audits of systems handling personal information, provide privacy and security training to relevant personnel, establish privacy governance frameworks with clear accountability and oversight, and review and enhance policies and procedures governing data handling, particularly during migration projects.
The declarations serve multiple purposes beyond Vinomofo’s specific case. They provide a roadmap for other organizations undertaking similar cloud migrations or managing customer data at scale. They establish regulatory expectations about minimum acceptable security practices. And they create precedent that future enforcement actions can reference when addressing similar failures.
