Notifiable Data Breach Response for Australian SMBs After a Business Email Compromise: Get the OAIC Notification Right Under Pressure

Your bookkeeper just realised the “supplier” they have been emailing for a fortnight was an attacker sitting inside your Microsoft 365 tenant. The invoice was redirected. Worse, the attacker had been auto-forwarding mail from two senior mailboxes — client contracts, identity documents, payroll files. You now have 30 days under the OAIC’s Notifiable Data Breaches scheme to work out whether this is an eligible data breach, and if it is, to notify the regulator and every affected individual. Notifiable Data Breach Response from Cyber by Exegesis is the fixed-scope post-incident engagement that walks an Australian SMB through that 30-day window without making the situation worse.

The problem

A BEC incident is rarely just a payment loss. By the time the redirected invoice is discovered, the attacker has usually been reading mail for days or weeks. ACCC Scamwatch ranks BEC among the highest-loss SMB scam categories reported in Australia, but the second-order harm — the personal information that flowed through those compromised mailboxes — is what triggers the OAIC’s NDB obligations under Part IIIC of the Privacy Act 1988.

Most SMBs in this position do two things wrong. They rush a notification before they have scoped what was actually accessed, or they decide privately that “nothing sensitive” was in the mailbox and skip the assessment entirely. Both are risky. The NDB scheme requires a reasonable, documented assessment of whether an eligible data breach has occurred — one likely to result in serious harm — and a notification to the OAIC and affected individuals if it has. Getting the assessment wrong, or skipping it, is the part that compounds the loss.

What Notifiable Data Breach Response does

Cyber by Exegesis runs a fixed-scope, time-boxed engagement built specifically for an SMB that has just discovered a BEC incident and needs to meet its NDB obligations:

• A scoped assessment of the breach against the OAIC NDB criteria — what data was accessible, to whom, for how long, and whether serious harm is likely.
• An eligible-data-breach determination, documented so you have a defensible record of the reasoning whether or not you ultimately notify.
• Drafting of the affected-individual notification — plain English, what happened, what data was involved, what the individual should do (often including a recommendation to engage IDCARE).
• Preparation and submission of the OAIC notification through the regulator’s online form, with you as the signing officer.
• A short remediation summary covering the BEC-specific controls (mailbox-rule audit, MFA reset, token revocation, DMARC posture) that should be closed before the file is closed.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same group behind DRMO. Our scope here is the NDB response itself. We are not your forensic IR provider and we are not your lawyer; we coordinate cleanly with both where they are already engaged.

How it works

1. We start with a 60-minute scoping call within one business day of you contacting us, to confirm the incident timeline and what is already known about mailbox access.
2. We request read-only access to the affected Microsoft 365 or Google Workspace tenant and pull the audit logs needed to scope mailbox access, forwarding rules, and downloaded content.
3. We assess the breach against the OAIC NDB criteria and produce the eligible-data-breach determination document.
4. If notification is required, we draft the affected-individual communications and prepare the OAIC submission for your sign-off.
5. We hand over a closing pack — the determination, the notifications sent, the OAIC submission reference, and a list of BEC-specific controls to close before you consider the matter resolved.

Why this matters in Australia

The NDB scheme is a national obligation. Any Australian SMB with turnover above $3 million, plus a long list of sector-specific entities below that threshold (health, credit, TFN-handling), is captured. BEC is the most common trigger we see for an NDB assessment in the SMB segment — exactly because the compromised mailbox tends to contain identity documents, contracts, and client PII that the business never thought of as a “database”. An Australian SMB that handles a BEC-driven NDB assessment well — documented, on time, with a clean notification — comes out of it with regulator trust intact. One that handles it badly turns a payment loss into a regulatory matter.

Sources

• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• Cyber by Exegesis — Notifiable Data Breach Response (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens NDB Response for Australian SMBs

We are sequencing engagements by incident type (BEC-driven NDB cases first) and by tenant (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector, current email tenant, and whether you have an active incident — we will tell you when we can take a brief.