Notifiable Data Breach Response for Brisbane SMBs: When a BEC Incident Becomes an OAIC Problem

Your accounts manager rings you on a Tuesday morning. A supplier’s invoice was paid to a bank account that turned out to belong to someone else, and when she logged in to investigate she found mailbox rules in her account she didn’t create — quietly forwarding anything mentioning “invoice” or “remittance” to an outside address for the last six weeks. The money is one problem. The other problem is harder: that mailbox contained client contact details, ABNs, bank details, and a folder of signed engagement letters. You now have thirty days under the Privacy Act to work out whether this is an eligible data breach, and if it is, to tell the OAIC and the people affected. Notifiable Data Breach Response from Cyber by Exegesis is the engagement for the second problem.

The problem

Business email compromise rarely stops at the redirected payment. By the time the fraudulent invoice clears, the attacker has usually had weeks of mailbox access — reading correspondence, harvesting attachments, and setting forwarding rules. The OAIC Notifiable Data Breaches scheme, established under Part IIIC of the Privacy Act 1988, requires organisations covered by the Act to assess suspected eligible data breaches and, where the threshold is met, notify both the OAIC and affected individuals.

Most Brisbane SMBs we speak to after a BEC incident are unsure what was actually exposed, unsure whether they meet the “likely to result in serious harm” threshold, and unsure how to draft a notification that satisfies the OAIC without making the commercial situation worse. The ACSC Small Business Cyber Security Guide is explicit that incident response planning is a core small-business control — but planning is what you do before the breach, and by the time you are reading this you are probably past that point.

What NDB Response does

Cyber by Exegesis runs a fixed-scope post-incident engagement built specifically for SMBs that have had a BEC incident and now face an OAIC NDB assessment:

• A scope assessment of the compromised mailbox or tenant — what was accessible, for how long, and which categories of personal information were exposed.
• An eligible-data-breach determination aligned to the OAIC NDB scheme’s “likely to result in serious harm” threshold, documented so your directors and insurers can see the reasoning.
• Drafting of the OAIC notification statement and the affected-individual notification, in plain English, ready for your principal or legal counsel to review and sign.
• Submission support for the OAIC notification through the regulator’s online form.
• A short remediation note covering the mailbox-rule, DMARC, and payment-process changes needed before you tell affected clients what you have changed.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind DRMO. NDB Response is a post-incident engagement. We are not your forensic investigator and we do not replace your lawyers or your insurer’s panel — we run the OAIC-facing assessment and the notification drafting so your team can keep the business running.

How it works

1. We take a one-hour incident intake call, agree the engagement scope, and request read-only access to the affected mailbox or tenant plus any forensic artefacts already collected.
2. We reconstruct the access window — mailbox-rule creation dates, sign-in logs, mail items accessed — and produce a written scope-of-compromise baseline.
3. We work through the OAIC’s eligible-data-breach test against the categories of personal information exposed, and document the determination either way.
4. If the threshold is met, we draft the OAIC statement and the affected-individual notification, walk you through the wording, and support the submission.
5. We hand over a closing pack — the assessment, the notifications sent, and the short remediation note — typically inside the 30-day OAIC assessment window.

Why this matters in Brisbane

Brisbane’s SMB economy leans on professional services, construction, and trades businesses that hold customer PII and move money on invoice cycles — exactly the operating pattern that ACCC Scamwatch identifies as the highest-loss SMB scam category nationally. When a Brisbane SMB above the $3M turnover threshold (or in a covered sector like health) suffers a BEC incident with mailbox access, the NDB clock starts whether the business realises it or not. Running the assessment properly — and notifying when the threshold is met — protects directors, satisfies the regulator, and gives affected clients the information they need to protect themselves.

Sources

• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• Cyber by Exegesis — Notifiable Data Breach Response (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens NDB Response for Brisbane SMBs

We are sequencing engagements by incident type (BEC-driven mailbox compromise first) and by tenant (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector, current email tenant, and a rough indication of timing — if you are inside an active 30-day OAIC assessment window, tell us in the form and we will reply faster.