Notifiable Data Breach Response for Adelaide SMBs After a Business Email Compromise: Work Out What You Owe the OAIC and Your Customers, Fast

Your accounts manager just realised the “supplier” she has been corresponding with for three weeks isn’t your supplier — and the mailbox she was using has been quietly forwarding copies of every invoice, contract, and customer record attached to those threads to an external address. The money is bad enough. The harder question, sitting on your desk right now, is whether what was exfiltrated triggers the Notifiable Data Breaches scheme — and if so, what you need to tell the OAIC and your affected customers, and by when. NDB Response from Cyber by Exegesis is the engagement that gets you through the next 30 days.

The problem

Business email compromise rarely stops at the redirected invoice. By the time the compromise is detected, the attacker has often sat in the mailbox for weeks, harvesting whatever was in the inbox, the sent folder, and shared drives the account had access to — driver’s licences attached to onboarding emails, TFNs in HR threads, client matter files, contracts with personal addresses. Under the OAIC Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988), if that information is likely to result in serious harm to the individuals involved and you can’t contain it in time, you have an eligible data breach — and statutory obligations to notify both the OAIC and the affected individuals.

Most Adelaide SMBs hit by BEC have never run an NDB assessment before. The clock is already running. The decisions are not intuitive: what counts as “serious harm”, what counts as “remedial action sufficient to prevent” the harm, how to scope which individuals were actually affected when a mailbox holds years of correspondence, and how to draft a notification that meets the OAIC’s content requirements without panicking a customer base or inviting regulatory follow-up you could have avoided.

What NDB Response does

Cyber by Exegesis runs a fixed-scope post-incident engagement built around the OAIC NDB scheme:

• A scope assessment of what personal information was actually accessible to the compromised account — mailboxes, shared drives, connected SaaS — and what the attacker is reasonably believed to have accessed or exfiltrated.
• An eligible-data-breach determination against the OAIC criteria, documented in writing so you have a defensible record of how you reached the call (notify, don’t notify, or remedial action sufficient).
• Drafting of the OAIC notification statement to the content requirements of the scheme, and drafting of the affected-individual notification (plain English, no legalese, with the practical steps individuals should take).
• Coordination of the OAIC submission and a recommended communications sequence for affected individuals.
• A short closing report — what happened, what you notified, what you decided not to notify and why, and the two or three control gaps that let the BEC succeed in the first place.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. NDB Response is post-incident only. We do not do the forensic recovery of the mailbox itself (that is your IT provider or DFIR firm); we do the regulatory and notification workstream that sits alongside them.

How it works

1. We take a 30-minute intake call to confirm the timeline, the account(s) involved, and what your IT provider has already established about access and exfiltration.
2. We build the scope of personal information at risk from the mailbox, sent items, and connected services — working from your IT provider’s logs and our own structured review.
3. We document the eligible-data-breach determination against the OAIC criteria and walk you through it before anything is filed.
4. We draft the OAIC notification statement and the affected-individual notification, iterate once with you, and prepare the OAIC submission.
5. We close with a written report covering the notifications made, the determination reasoning, and the BEC control gaps to fix so this doesn’t repeat.

Why this matters in Adelaide

Adelaide’s SMB base — defence-supply-chain firms, health and aged care providers, professional services, wine and agribusiness exporters — holds exactly the kind of personal and commercially sensitive information that turns an ordinary BEC into a notifiable breach. ACCC Scamwatch consistently ranks BEC among the highest-loss scam categories reported by Australian businesses, and the pattern in Adelaide is no different: the loss is the redirected payment, but the regulatory exposure is the mailbox contents. An Adelaide SMB that runs a structured NDB assessment in the first week after detection — rather than guessing — is materially better positioned with both the OAIC and its own customers.

Sources

• OAIC Notifiable Data Breaches scheme (Part IIIC, Privacy Act 1988): https://www.oaic.gov.au/privacy/notifiable-data-breaches
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• Cyber by Exegesis — Notifiable Data Breach Response (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens NDB Response for Adelaide SMBs

We are sequencing engagements by incident type and by how recently the breach was detected (active incidents first). Join the waitlist with your sector and a short note on the incident timeline — we will tell you when we can take a brief from your business.