OVIC publishes investigation report on ransomware attack on Datatime Services Pty Ltd
The Office of the Victorian Information Commissioner (OVIC) has published an investigation report into a 2022 ransomware attack, that shows that the personal information of a large number of Victorian adults and children was compromised.
An investigative report by the Office of the Victorian Information Commissioner into a 2022 ransomware attack on Datatime Services Pty Ltd shows that the personal information of a large number of Victorian adults and children was compromised.
Datatime was a contracted service provider to a number of Victorian public sector organisations at the time of the attack. As a result of the attack, a malicious third party had unauthorised access to the personal informal information of tens of thousands of Victorians.
Whilst there is no indication the information has been released, there is an ongoing risk for affected individuals by the unauthorised access from the third party.
OVIC has investigated to determine whether Datatime had committed serious, flagrant, or repeated contraventions of the Information Privacy Principles under the Privacy and Data Protection Act, and whether it was necessary to issue a compliance notice.
Datatime was voluntarily wound up in October 2023. This action has limited the amount of information obtainable by OVIC, with OVIC unable to formally determine whether Datatime complied with the Information Privacy Principles. Since the company has been wound up there is no purpose to a compliance notice.
The investigation indicates that Datatime had a number of cyber security deficiencies, and that Datatime did not destroy or permanently de-identify personal information when it was no longer required for any purpose.
Further observations, including lessons for all government organisations and contract service providers about protecting privacy in outsourcing arrangements can be viewed in this report. These are especially timely given the increased prevalence of cyber-related data breaches occurring in outsourcing contexts.
The release of this report coincides with the commencement of Privacy Awareness Week across the Asia Pacific region.
To access the report:
For media enquiries contact:
Molly Williams
Phone: (03) 8684 7585
Email: media@ovic.vic.gov.au
For general enquiries about FOI, privacy and information security in Victoria contact:
Office of the Victorian Information Commissioner
Phone: 1300 006 842
Email: enquiries@ovic.vic.gov.au