Skip to Content
From Monday 12 September 2020, OVIC's website will no longer be supported in Internet Explorer (IE).
We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.

OVIC publishes investigation report on ransomware attack on Datatime Services Pty Ltd

The Office of the Victorian Information Commissioner (OVIC) has published an investigation report into a 2022 ransomware attack, that shows that the personal information of a large number of Victorian adults and children was compromised.

An investigative report by the Office of the Victorian Information Commissioner into a 2022 ransomware attack on Datatime Services Pty Ltd shows that the personal information of a large number of Victorian adults and children was compromised.

Datatime was a contracted service provider to a number of Victorian public sector organisations at the time of the attack. As a result of the attack, a malicious third party had unauthorised access to the personal informal information of tens of thousands of Victorians.

Whilst there is no indication the information has been released, there is an ongoing risk for affected individuals by the unauthorised access from the third party.

OVIC has investigated to determine whether Datatime had committed serious, flagrant, or repeated contraventions of the Information Privacy Principles under the Privacy and Data Protection Act, and whether it was necessary to issue a compliance notice.

Datatime was voluntarily wound up in October 2023. This action has limited the amount of information obtainable by OVIC, with OVIC unable to formally determine whether Datatime complied with the Information Privacy Principles. Since the company has been wound up there is no purpose to a compliance notice.

The investigation indicates that Datatime had a number of cyber security deficiencies, and that Datatime did not destroy or permanently de-identify personal information when it was no longer required for any purpose.

Further observations, including lessons for all government organisations and contract service providers about protecting privacy in outsourcing arrangements can be viewed in this report. These are especially timely given the increased prevalence of cyber-related data breaches occurring in outsourcing contexts.

The release of this report coincides with the commencement of Privacy Awareness Week across the Asia Pacific region.

To access the report:

For media enquiries contact:

Molly Williams

Phone: (03) 8684 7585
Email: media@ovic.vic.gov.au

For general enquiries about FOI, privacy and information security in Victoria contact:

Office of the Victorian Information Commissioner

Phone: 1300 006 842
Email: enquiries@ovic.vic.gov.au

Related News

OVIC publishes audit report on managing personnel security risks during pre-engagement screening for VPS employees

The Victorian Public Sector (VPS) employs thousands of personnel who work across multiple organisations, carrying out a large number of… Continue Reading

60th Asia Pacific Privacy Authorities forum discusses privacy, regulation, enforcement and more.

The Office of the Australian Information Commissioner (OAIC) hosted the 60th Asia Pacific Privacy Authorities (APPA) forum from 30 November… Continue Reading

OVIC’s 2022-23 Annual Report tabled in Victorian Parliament

Then. Now. Next. OVIC’s 2022-23 annual report was tabled in the Victorian Parliament on Wednesday 4 October 2023. In 2022-23, Victorians made 48,117… Continue Reading
Back to top
Back to Top