Vinomofo Data Breach

That's today's data breach: Vinomofo

We can't even drink wine in peace anymore…

Email received today:

I am writing to provide you with some important information about a recent cyber security incident at Vinomofo.

Vinomofo experienced a cyber security incident where an unauthorised third party unlawfully accessed our database on a testing platform that is not linked to our live Vinomofo website.

We immediately engaged leading cyber security and forensic specialists (including IDCARE, Australia’s national identity and cyber support service) to investigate the claim and took steps to further secure our IT environment and strengthen our systems.

We also reported the matter to the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC).

Our investigation established that customers’ and members’ information on our database on this testing platform was unlawfully accessed by a third party. However, our cyber security and forensic specialists have assessed that the risk to our customers and members by this information being accessed is low.

Vinomofo does not hold identity or financial data such as passports, drivers’ licences or credit cards/bank details.

While no passwords, identity documents or financial information were accessed, the database includes other information about customers and members.

The information about you that was contained in the database that may have been accessed may include name, gender, date of birth, address, email address and phone number.

Working with our IT experts, we have taken steps to further bolster the security of our technology systems to help prevent any similar incidents happening again.

We are contacting you directly so you can take simple, precautionary steps to protect your information and avoid any potential scams.

We advise that you remain alert to any increased scam activity – especially email, SMS or telephone phishing scams – with fraudulent communications disguised to look like they come from an organisation you trust.

We recommend that you:

Remember that good organisations do not contact you and ask you to “prove” who you are. If someone calls you unexpectedly claiming to be from an organisation, consider hanging up and calling them back on a known and trusted number.
Look out for contact from scammers who may have your personal information. This may include suspicious emails, texts, phone calls or messages on social media. Protect yourself from scams. Never click on any links that look suspicious and never provide your passwords, or any personal or financial information. It is good practice to have up-to-date anti-virus software installed on any device you use to access your emails. Scamwatch also provides helpful guidance on how to spot a scam.
Consider changing your email account passwords. Make sure you use strong passwords that you do not use for other accounts. Enabling multi-factor authentication is a good idea where possible.

While your Vinomofo account password is still safe to use, it’s a good idea to regularly change your password. You may wish to update your password as a precautionary measure.

You can find further information about online safety, cyber security and helpful tips to protect yourself at the Australian Cyber Security Centre or the ACCC’s Scamwatch website.

If you have any outstanding concerns, we have partnered with IDCARE to provide specialist case management support. IDCARE’s service are at no cost to you. Their expert case managers can be booked online at a time that suits you during business hours (9am to 6pm AEDT). If you wish to engage IDCARE, please complete a Get Help form for individuals at idcare.org or contact 1800 595 160, quoting reference VMF22.

We take the privacy and the protection of customer information very seriously and I apologise for any concern or inconvenience the incident has caused.

We have taken this matter very seriously and we understand you may want to know more. You can access more information on our website at: www.vinomofo.com/cyber-incident-faqs/

If you have any questions, please contact [email protected].

Yours sincerely,

Paul Edginton

Vinomofo CEO

Related Stores

Vinomofo
Vinomofo

Comments

  • +1

    vinomofo. oh no.

    • +2

      Anyway

    • At least they can confirm address and phone number with the Optus database.

      I don't have address or phone number on Vinomofo file, but now the scammers might find out that I drink wine. 😕🍷

      The most important thing is to make it very clear that I don't buy wine over the phone! Do you understand, wine sellers/spammers? I don't care if you have an amazing deal, I don't buy wine over the phone! 🙃

  • -4

    Gee if only the government would put in place some kind of 'digital ID' that would protect us all from these 'hackers'…he said predictively.

    • -1

      Explain how you think some nutty theory that you think the wef/gov is running to get people digital IDs would solve this?

      Does the store not still need to know your name, phone number and address to ship you your wine?

      What information that a store/website currently holds do you believe would be no longer applicable via this theory?

      • From what I can see (IIUC) you will have all of these details stored on a government database (again) and you will then use your Digital ID to interact with shops/services etc https://www.digitalidentity.gov.au/about-digital-identity

        That way if a business gets hacked all the 'hackers' will get is your digital ID number and not your personal details. For now it is voluntary but soon it wont be and you will have to have one to do any business on the web. They just need to ramp up the fear (i.e. more 'hacking' events) to get more and more people to sign up. It's been their main tactic for ever, problem/reaction/solution and the mob falls for it every single time.

        • +1

          All that could possibly replace would be a username and password. No different than a 'sign on with Google' of 'sign on with apple' etc interface.

          Not a chance it's ever going to act as a repository for every persons possible multiple contact details, address information or payment information that stores will have to interface with.

          Feel free to explain how you believe that would be technically achievable, implemented and reliable?

          the mob falls for it every single time.

          100% Agreed…except I don't think you are talking about the same gullible mob I am.

          • @SBOB: I have a few thoughts but will need to wait and see. :)

            • @EightImmortals: its ok to admit you don't have the technical knowledge to understand why this will never happen to the level you believe it will.
              ;)

              • @SBOB: I don't have the technological knowledge about a lot of things. :)

                But I don't really need to know how they will do something, only that are wanting to do something. A quick search on 'Digital ID dangers' will bring up some reading on how this is way bigger than just have Big Bother keeping your personal details.

                Like all my prognostications, I honestly do hope I am wrong.

                Cheers

  • +1

    Why did I think this had something to do with my dashcam.

  • +5

    Why are they using real customer data in TEST. The only way to stop this is for these companies to be hit with much much bigger fines.

  • +1

    My personal opinion is that these companies need to reveal at least briefly how they got compromised.

    From my own experience most small to medium sized businesses would not even know if they got hacked as there is no software installed to log intrusions or modifications to databases/files. Basically all they have to go on would be to look at the last edited flag on the file, but most people don't even have detailed view setup in Windows Explorer or something of that sort.

    So, the usual culprit is usually ransomware. If Vinomofo got ransomwared and then the supervisor saw it immediately within a few minutes and whilst it was encrypting and the database was open briefly to the attacker, then subsequently within minutes powered down the machine or cut network access and called for help, then this would be regarded as a low level attack. If the supervisor kept the computer online or the wifi module was embedded on the motherboard and for reasons they don't want to turn off the router as it affects the whole customer service line, then that is a higher severity attack.

    Reasons for keeping it powered on might include some ransomware being able to be decrypted via openly sourced keys, forcing shutdown may result in permanent loss of data, and for some companies this is their only copy of the data…. Sigh… I wouldn't count on doing that, so don't do it; let it corrupt if you have to. Also, some want to pay a ransom to just get it over and done with; that's a dumb idea too because they can still sell the data they vacuum off your company's drives.

    All in all, I hope they actually disclose how they got hacked because that would allow us, the consumers, to determine the severity. We have a right to know this.

  • +2

    protection of customer information very seriously

    I believe this as they put real customer details on a testing platform. /s

Login or Join to leave a comment