Skip to Content
From Monday 12 September 2020, OVIC's website will no longer be supported in Internet Explorer (IE).
We recommend installing Microsoft Edge, Google Chrome, Safari, Firefox, or Opera to visit the site.

Investigation into Datatime Services Pty Ltd data breach

In November 2022, Datatime Services Pty Ltd (Datatime) – a contracted service provider (CSP) to a number of Victorian public sector organisations (organisations) – suffered a data breach in the form of a ransomware attack. This meant that a malicious third party had unauthorised access to the personal information of thousands of Victorians.

OVIC decided to investigate under the Privacy and Data Protection Act 2014 (Vic) (PDP Act) to determine whether Datatime had committed serious, flagrant or repeated contraventions of the Information Privacy Principles (IPPs) and whether it was appropriate to issue a compliance notice. Ultimately, Datatime was voluntarily wound up in October 2023. This severely limited the amount of information OVIC could gather, and meant that it was not possible to formally determine compliance with the IPPs, or to decide whether to issue a compliance notice.

The Privacy and Data Protection Deputy Commissioner has nevertheless chosen to issue a report about the investigation, because the circumstances contain valuable lessons for both organisations and CSPs. This is especially so given the increasing prevalence of cyberattacks, including those involving third parties to government organisations.



Size 251.43 KB



Back to Index
Back to top
Back to Top