Lost or Stolen Device Response for Melbourne SMBs: Contain the Data Breach Before It Becomes an OAIC Notification

Your sales manager left a laptop in the back of an Uber on the way home from a client dinner in Southbank. It has the CRM cached, a downloaded export of client contact details from last quarter, a saved Microsoft 365 session, and probably a sticky note with a password somewhere inside. It is 9pm on a Tuesday. Nobody at your business has done this before, the staff member is panicking, and the clock on a possible OAIC notification has already started. Lost or Stolen Device Response from Cyber by Exegesis is the engagement that walks a Melbourne SMB through the next 72 hours methodically — remote wipe, account recovery, password rotation, and the decision about whether this is a notifiable data breach.

The problem

A lost or stolen device is not just a hardware loss. Under the OAIC Notifiable Data Breaches scheme, if the device contained personal information of clients and your business is covered by the Privacy Act, you may have an eligible data breach on your hands — and you have an obligation to assess it promptly and notify OAIC and affected individuals if the risk of serious harm is real. Most Melbourne SMBs do not know whether they are in scope, do not have a documented assessment process, and do not have the technical controls (full-disk encryption, mobile device management, remote wipe) configured to argue that the data was not actually accessible.

The ACSC Small Business Cyber Security Guide is clear that device loss is one of the most common ways SMB data ends up exposed — and the controls that reduce the harm (encryption, MDM enrolment, strong screen-lock policies, account-recovery sequencing) need to be in place before the device goes missing. Once it is gone, the question is how fast you can shrink the blast radius.

What Lost or Stolen Device Response does

Cyber by Exegesis runs a fixed-scope engagement that triggers when an SMB reports a lost or stolen device:

• A same-day triage call to scope what was on the device, what accounts it was signed into, and whether it was encrypted and MDM-enrolled.
• Remote wipe through your Microsoft 365 or Google Workspace tenant (or Intune / Jamf / Google MDM if in place), with a written record of which devices were wiped and when.
• Account-recovery sequencing — we work through the cached sessions on the device in order of sensitivity (email, banking, CRM, file storage, password manager) and force sign-out, revoke tokens, and rotate credentials.
• A password rotation plan for the affected staff member and any shared credentials that may have been cached.
• A police report and insurance support pack — the report-number, device serial numbers, and an incident summary your insurer will actually accept.
• An OAIC NDB scheme assessment — a structured walk-through of whether the loss is an eligible data breach, with a written recommendation and (if notifiable) a draft notification you can adapt.

Cyber by Exegesis is the cyber consultancy line of Exegesis, the same parent company behind the DRMO live product. Our scope here is incident triage and containment for one device-loss event. We are not your ongoing IT provider; we sit alongside whatever IT support you have and make the next 72 hours defensible.

How it works

1. You call or email the Cyber by Exegesis incident line and we open the engagement within the hour. We confirm what device was lost, what it had on it, and who is involved.
2. We get read-only access to your email tenant and any MDM in use, and we execute remote wipe and session revocation across the affected accounts.
3. We work through the account-recovery sequence with the staff member — email first, then any financial and customer-data systems, then everything else.
4. We assemble the police-report and insurance pack and walk the staff member through filing it.
5. We run the OAIC NDB assessment with you in writing — whether it is notifiable, what the reasoning is, and (if needed) a draft notification to OAIC and to affected individuals.

Why this matters in Melbourne

Melbourne SMBs concentrate professional services, healthcare, and education providers — sectors where the personal information on a single laptop or phone is often enough to trigger the NDB scheme on its own. Trams, Ubers, cafes in the CBD and Fitzroy, and shared coworking spaces produce a steady volume of device-loss incidents. A Melbourne SMB that can remote-wipe a device within hours, sequence account recovery cleanly, and produce a defensible NDB assessment turns a potential six-figure regulatory and reputational problem into a contained operational event.

Sources

• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• ACSC guidance for individuals and families (account-recovery context for the affected staff member): https://www.cyber.gov.au/protect-yourself
• Cyber by Exegesis — Lost or Stolen Device Response (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens Lost or Stolen Device Response for Melbourne SMBs

We are sequencing engagements by tenant type (Microsoft 365 first, Google Workspace second) and by MDM posture. Join the waitlist with your email tenant and whether you currently have an MDM in place — we will tell you when we are ready to take on incident calls from your business.