Vinomofo data breach determination - the obligation to take reasonable steps

13 November 2025

Hamish Fraser
Partner
Sparke Helmore Lawyers

Hamish Fraser
Partner
Sparke Helmore Lawyers
t: +61 2 9373 3616

Hamish is an accomplished senior technology lawyer with more than 30 years’ experience advising clients on commercial issues and regulatory matters across the information technology and communication industries. Hamish enjoys demystifying the complex interaction of technology and the law.

In late October 2025, the Privacy Commissioner found that an online wine wholesaler had failed to take reasonable steps to protect the personal information of its customers.

APP 11 sets the standard of care that an organisation must take to protect the personal information that it holds. Since the Privacy Act 1988 (Cth) was first introduced, the standard has been that an entity must to take 'such steps as are reasonable in the circumstances'. It was also updated in the recent reforms to include both technical and organisational measures (APP 11.3)

Most of us are familiar with the notion of the ‘reasonable person’. It is an objective test (independent of the individual circumstances) that asks whether a hypothetical, sensible person would have acted the same way in similar circumstances. Various areas of law such as employment law, contract law, and torts, use the ‘reasonable person’ test. It allows a standard to evolve as a society becomes more sophisticated or circumstances change. However, it can equally be a source of frustration as it can be hard for clients looking for certainty to pin down precisely what the standard is at any given moment.

The recent determination by the Privacy Commissioner has given a useful guidance on how that standard should be interpreted in a modern day security breach by bad actors gaining access to your data.

What happened?

In September 2022, a hacker broke into the Vinomofo’s database and exfiltrated 17GB of data including customer and member:

Identity Information: gender and date of birth
Contact Information: name, email address, phone number and residential address
Financial Information: sales order history and invoice information

Relevant circumstances

In determining what reasonable steps Vinomofo could have taken to protect the information, the Commissioner considered the following circumstances:

The nature and volume of the information held: 928,760 customer records.
Vinimofo’s resources: $72 million per annum and 120 employees.
Possible adverse consequences:
1. the large amount of personal information that posed a risk of harm to affected individuals including through identity theft or fraud.
2. the publication and sale of personal information on the dark web, and
3. being targeted by online scams.

Although the Commissioner did agree Vinomofo had taken some steps, she was not satisfied that in total the steps were commensurate to the risks and reasonable in the circumstances.

What steps should Vinomofo have taken?

Security logging - The respondent had limited security logging capability. Although there was some detailed logging in the internally built eCommerce business applications, it was not consistently applied and the database impacted did not have logging enabled.
Cloud infrastructure security controls - At the time of the incident, the database was poorly configured and was not isolated from the internet. It did not have a web application firewall in place or encryption enabled.
Access monitoring - The respondent did not have monitoring in place to control, detect and alert on suspicious or unauthorised activity in real-time. This delayed detection of the breach.
Policies and procedures - The formal policies and procedures governing the handling of personal information did not exist. There were no formal policies or procedures covering the responsibilities, roles, or acceptable use of passwords, laptops, and logins.
People and culture - At the time of the incident, Vinomofo’s management team included the head of data and technology and head of engineering. Both positions were staffed by former engineers with no formal qualifications or certifications in cyber security.

It did not assist Vinomofo that its privacy policy was found under the title ’the boring stuff’ and noted that:

‘We’re impressed with your commitment ... but the good stuff is all up there, buddy. [Emoji: finger pointing up]. Since you're here, check out these links and boring bits, if you're into that kind of thing.’

Whilst the Commissioner acknowledged that this was intended to contrast the serious legal elements from the more product focussed ’fun’ content, it was clearly connected to the finding that:

'Security policies and practices are only effective when properly and consistently implemented and followed by employees. Security governance arrangements should include appropriate training, resourcing and management focus to foster a privacy-and security-aware culture.'

The case also highlighted a common misunderstanding around who is responsible for security when using cloud infrastructure (in this case Amazon Web Services was used by Vinomofo). Although, cloud providers offer security capabilities, it is up to the customers to ensure the models are appropriately configured and managed.

We would like to acknowledge the contribution of Jasmine Thai and Ella Sourdin Brown.

11-11-2025 | OAIC's Notifiable Data Breaches statistic dashboard

24-10-2025 | Significant penalty ordered by Federal Court in ACL cyber breach

30-09-2025 | Sparke Bytes - September 2025

05-09-2025 | Thinking of getting legal advice from an AI assistant? Think again.

26-08-2025 | Building public trust and modernising oversight: OAIC's regulatory action priorities for 2025-26

26-08-2025 | Private schools – are you protecting children's personal data? Consider the proposed Privacy Act 1988 Children's Code

Media room