Skip to main content

Please be advised that our office will be closed from 5pm – Tuesday, 24 December, and will reopen on Thursday, 2 January 2025.

  • On this page

Published:  

In December 2023, Inspiring Vacations notified the OAIC of a data breach that occurred as a result of a publicly accessible Amazon Web Service (AWS) bucket containing personal information including contact, identity and limited health information of Australian individuals.

In response to the incident, the OAIC conducted inquiries with Inspiring Vacations. The OAIC acknowledges that Inspiring Vacations provided information to demonstrate to the OAIC that it had taken steps to contain the incident, put steps in place to prevent customers experiencing further harm from the breach and that affected individuals were appropriately notified.

Inspiring Vacations provided further assurance to the Australian Information Commissioner, and the community, by offering an enforceable undertaking to further uplift its security and privacy practices to ensure compliance with the Australian Privacy Principles in the Privacy Act 1988 (Cth). This included a commitment to update its policies and procedures in relation to data retention and data handling and enhance its assessment and audit processes.

The OAIC acknowledges that Inspiring Vacations cooperated with the inquiries, discharged its obligations under the Notifiable Data Breaches scheme, and made efforts to improve its information handling practices and strengthen its information security. Having regard to the OAIC’s statement of regulatory approach and guiding principles, on 22 October 2024, the Privacy Commissioner, on behalf of the Australian Information Commissioner, accepted the enforceable undertaking offered by Inspiring Vacations. Accordingly, the OAIC will not take further action in relation to this matter.

Securing the cloud

The OAIC reminds entities that cloud security and management should be a priority for any entity using cloud‑based storage, and there is a shared responsibility for the security of data stored in the cloud. Data breaches can still occur when entities do not properly manage and maintain an appropriate security level in their cloud storage environments.

As outlined in the OAIC's Notifiable data breaches report January to June 2024, reasonable steps to secure personal information stored on cloud environments and mitigate risks of misconfiguration may include:

  • implementing strong access controls such as multi-factor authentication, IP access controls and encryption
  • having policies, processes and procedures in place to govern and attribute responsibilities for the creation, proper configuration and management of cloud data storage
  • scheduling regular security assessments to audit and review cloud configurations
  • extending risk analysis and security monitoring to cover cloud storage environments.