Online wine wholesaler Vinomofo has been given 90 days to rectify a number of glaring security failures after a 2022 data breach impacted nearly one million individuals.
The wine retailer first announced its data breach in October 2022 after an illicit advertisement for its customers’ leaked data appeared on a Russian-language cybercrime forum, though it did not initially disclose how many people were affected.
A recent investigation by Australia’s Privacy Commissioner Carly Kind has now revealed 928,760 customers and members were in the vendor’s database at the time of the incident, impacting names, genders, dates of birth, addresses, phone and email contact details, and financial information such as sales order histories and invoice details.
A sample of the leaked data in 2022 also included nuanced customer details such as “Not drinking anymore”.
The commissioner ultimately found Vinomofo not only contravened the Privacy Act, but also “interfered with the privacy of almost a million individuals” by failing to take reasonable steps to protect its customers’ personal information from security risks which led to the breach.
“The respondent was aware of the deficiencies in its security governance and that it needed to uplift its security posture at least two years prior to the Incident,” said Kind, giving particular emphasis to the retailer’s failures in its “cultural approach” to privacy, as well as its training, policies and procedures.
A spokesperson for Vinomofo told Information Age the company had accepted the Office of the Australian Information Commissioner’s (OAIC) findings and taken steps to “further strengthen” its information security environment, governance and staff training since the incident.
“We thank the OAIC for its consideration and remain fully committed to working constructively to implement all required actions,” they said.
Wine seller blurry on details
Kind’s investigation also revealed a number of discrepancies between the retailer’s initial retelling of the breach and what actually took place.
The incident occurred 25 September 2022 when a threat actor took data from a temporary database which was being used to migrate customer data as part of a system upgrade.
While Vinomofo initially said this database was a “testing platform”, the company later clarified it was a “temporary migration database” and was “not used for the purpose of testing nor was any testing undertaken”.
Kind afound this database was “poorly configured” at the time of the incident.
Specifically, it was not isolated from the internet, had no web application firewall in place, and did not have encryption enabled.
According to Kind, Vinomofo also claimed that detailed logging was in place for its central internally built eCommerce business applications, but some databases, including the database impacted by the incident, did not have logging enabled.
“With the absence of security logging, the threat actor was able to gain access to and exfiltrate the respondents customer database without detection,” Kind said.
Privacy ‘boring’, said breached company
Kind also took issue with Vinomofo’s cybersecurity culture.
At the time of the incident, the company’s management team responsible for cybersecurity was made up of just three individuals, two of which headed significant roles with no formal qualifications in cybersecurity.
Furthermore, Kind noted the company previously categorised its public-facing privacy policy under the title ‘the boring stuff’.
When faced with Kind’s preliminary view that the company did not appear to consider its customers’ privacy a business priority before suffering its incident, Vinomofo argued COVID-19 lockdowns meant upgrading its telephone system had to take operational priority.
Kind maintained, however, that Vinomofo had an “unacceptable delay” in uplifting its security posture prior to its 2022 system upgrade.
Fix it, and fix it quickly
Kind ultimately gave Vinomofo just 90 days to implement several steps to uplift its security and governance, including: implementing security logging; applying security access settings on certain databases; and setting up monitoring measures to detect unauthorised activity.
The company was also told to engage an independent reviewer to assess the adequacy of its staff with cybersecurity expertise, and to review its implementation of Kind’s advice.
Rahat Masood, senior lecturer at the UNSW School of Computer Science and Engineering, told Information Age the decision was an “unmistakable signal” the OAIC now expects organisations to “move beyond box-ticking compliance”.
“The OAIC has clearly said in the detailed report that training, monitoring, and logging aren’t optional technical extras; they are fundamental duties under the Privacy Act,” she said.
“The finding reminds boards that privacy protection is not just an IT responsibility, but a leadership and governance obligation.
“When an organisation fails to treat privacy as a business-wide priority, the reputational and regulatory consequences can persist for years.”
