An email sent to the long-term members on Tuesday night included a spreadsheet containing their full names, dates of birth, home addresses and all contact details.

A spokesman for the Office of the Australian Information Commissioner told The Courier-Mail it was aware about an incident at RQYS and would contact the squadron to establish the facts.

The accidental privacy breach was not discovered until Wednesday morning, with the email with personal details of its oldest members later recalled.

Royal QLD Yacht Squadron: Inside huge privacy breach

However some members have raised concern about the potential for the details to make members vulnerable to identity theft.

The spreadsheet included the private personal details of millionaires, prominent barristers, solicitors and wealthy business people.

Some members whose personal details were revealed included Queenslanders who have received honours awards.

While RQYS general manager Shawn Ket acknowledged the privacy breach, he said on Wednesday it did not need to be reported to the Office of the Australian Information Commissioner.

This was despite Mr Ket saying RQYS had taken advice from a privacy expert and lawyer that the personal information would be able to be found “by a determined searcher”.

“While we can’t comment on the specifics, we would expect any organisation to act quickly to contain a data breach involving personal information and assess the potential impact on those,” the, spokesman said.

“If it’s likely to result in serious harm, and the organisation is covered by the Privacy Act, they must notify the people who are affected and the OAIC as quickly as possible.”

Mr Ket acknowledged that despite the recall, some members might still be able to see the full spreadsheet with members’ personal details, but RQYS had asked them to delete it.

The OAIC says it must be notified when there is unauthorised disclosure of personal information that is likely to result in serious harm to individuals.

Personal information includes names, addresses, dates of birth and phone numbers, which were all included in the emailed list from RQYS.

In 2019-20, the OAIC was notified of 1050 eligible data breaches under the mandatory Notifiable Data Breaches scheme.

“Many were caused by human error or cyber attacks linked to phishing or poor password practices,” the OAIC spokesman said.

“Organisations need to be proactive in protecting personal information and preventing these breaches, including supporting employees with better training, processes and technology.

“They should also be prepared and have a data breach response plan ready to go.

“We advise individuals to respond quickly when they’re notified and take the appropriate action, such as changing passwords, checking accounts and credit reports, and watching out for scams.

More advice about the Notifiable Data Breach Scheme can be found at https://www.oaic.gov.au/privacy/data-breaches/respond-to-a-data-breach-notification/