Investigation into Datatime Services Pty Ltd data breach
In November 2022, Datatime Services Pty Ltd (Datatime) – a contracted service provider (CSP) to a number of Victorian public sector organisations (organisations) – suffered a data breach in the form of a ransomware attack. This meant that a malicious third party had unauthorised access to the personal information of thousands of Victorians.
OVIC decided to investigate under the Privacy and Data Protection Act 2014 (Vic) (PDP Act) to determine whether Datatime had committed serious, flagrant or repeated contraventions of the Information Privacy Principles (IPPs) and whether it was appropriate to issue a compliance notice. Ultimately, Datatime was voluntarily wound up in October 2023. This severely limited the amount of information OVIC could gather, and meant that it was not possible to formally determine compliance with the IPPs, or to decide whether to issue a compliance notice.
The Privacy and Data Protection Deputy Commissioner has nevertheless chosen to issue a report about the investigation, because the circumstances contain valuable lessons for both organisations and CSPs. This is especially so given the increasing prevalence of cyberattacks, including those involving third parties to government organisations.