Identity Theft Response for Australian Families: A Calm, Sequenced Recovery After a Data Breach

You get the email from a company you barely remember signing up to — your name, date of birth, driver’s licence number, maybe your Medicare number — included in a breach. Then your mum calls because someone tried to open an account in her name. Then your teenager mentions a weird text. The instinct is to panic and freeze every card you own. The better path is a sequenced response: credit-file flag, ATO, banks, accounts, monitoring — in the right order, for every affected family member. Identity Theft Response from Cyber by Exegesis is that sequence, run for your household.

The problem

Data breaches now reach Australian families through entities they cannot avoid: telcos, health insurers, loyalty programs, government-adjacent services. Under the OAIC Notifiable Data Breaches scheme, in-scope organisations must notify affected individuals when an eligible breach occurs — but the notification letter itself rarely tells you what to do, and it certainly does not coordinate across the four or five people in your household whose details may have been exposed in different breaches over different years.

Families also carry an asymmetric risk surface. An older parent is more likely to be targeted by follow-on scam calls referencing the breach — ACCC Scamwatch consistently flags that breached personal data is recycled into convincing impersonation scams. A teenager is more likely to reuse a breached password across gaming, social, and school accounts. Parents in the middle are managing both ends while their own driver’s licence sits in a dump somewhere. ACSC guidance for individuals and families covers the building blocks, but stitching them into one recovery plan across three generations is the hard part.

What Identity Theft Response does

Cyber by Exegesis runs a fixed-scope engagement for a single Australian household, covering up to six identities:

• A credit-file ban request walked through with IDCARE (the national identity and cyber support service), placing temporary suppressions on the major credit bureaus for each affected adult.
• An ATO notification and myGov hardening pass — flagging the affected tax file numbers and re-securing myGov sign-in with strong MFA.
• A bank and card fraud-reporting sequence, with a one-page template per institution so you are not re-explaining the breach five times.
• An account-recovery priority list — email first, then phone carrier, then banking, then everything that hangs off email — with passwords rotated and MFA re-set in the correct order.
• Ongoing monitoring setup: credit monitoring enrolment, Have I Been Pwned watchlists, and a 60-day check-in.
• A short written household record of what was changed, what was reported, and the reference numbers from IDCARE, ATO, and each bank.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind DRMO. Our scope here is the response and recovery sequence. We coordinate with IDCARE; we do not replace them.

How it works

1. We start with a 60-minute household call. Every adult in scope joins for at least part of it. We map who was in which breach, what data was exposed, and which accounts are downstream of which email addresses.
2. We open the IDCARE case together and place credit-file bans for each affected adult on the same day.
3. We work through the bank, ATO, and myGov notifications in priority order — typically completed inside 48 hours — with you on the call or screen-share for any step that requires your voice or identity verification.
4. We rotate passwords and reset MFA across the household’s priority accounts, working email-first so the recovery chain holds.
5. We set up monitoring, hand over the written record, and book the 60-day check-in.

Why this matters in Australia

The OAIC NDB scheme means Australian households are now routinely notified of breaches months or years after the data left the building. ACCC Scamwatch reporting shows that breached identity data is recycled into impersonation scams aimed disproportionately at older Australians, while ACSC guidance for individuals and families is clear that account-recovery order matters — get email wrong and the rest of the recovery fails. A coordinated, sequenced response across the whole household — not five separate panics — is what closes the breach out.

Sources

• ACSC guidance for individuals and families: https://www.cyber.gov.au/protect-yourself
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• eSafety Commissioner (for any image-based or harassment follow-on from a breach): https://www.esafety.gov.au/
• Cyber by Exegesis — Identity Theft Response (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Identity Theft Response for Australian families

We are sequencing engagements by household size and by the breaches in scope. Join the waitlist with the number of adults and dependents you need covered, and the breaches you have been notified of — we will tell you when we are ready to take a brief from your household.