Notifiable Data Breach Response for Melbourne SMBs After a Business Email Compromise: Scope It, Notify It, Close It Out

Your bookkeeper paid an invoice on Tuesday. By Friday the real supplier has called to ask where their money is, your IT provider has confirmed that one of your staff mailboxes was accessed from an unfamiliar IP for the past nine days, and you are now staring at an inbox full of client correspondence and attachments that an attacker also had access to. The money is one problem. The data — invoices, contracts, identity documents, payroll PDFs that sat in that mailbox — is the second problem, and it is the one with a statutory clock attached. Notifiable Data Breach (NDB) Response from Cyber by Exegesis is the post-incident engagement that walks a Melbourne SMB through exactly that clock.

The problem

The OAIC Notifiable Data Breaches scheme, established under Part IIIC of the Privacy Act 1988, requires organisations covered by the Act to assess suspected eligible data breaches and notify the OAIC and affected individuals when an eligible data breach has occurred. A BEC incident is not automatically an eligible data breach — but a compromised mailbox very often contains personal information that, once exposed, meets the “likely to result in serious harm” threshold the scheme turns on.

Most Melbourne SMBs facing this situation for the first time make the same three mistakes. They under-scope the breach (only counting the redirected invoice, not the nine days of mailbox access). They miss the 30-day assessment window the OAIC expects for suspected eligible data breaches. And they draft individual notifications that either over-disclose, under-disclose, or fail to give affected individuals the practical steps the OAIC expects to see. None of these are technical problems. They are process problems, and they compound quickly.

What NDB Response does

Cyber by Exegesis runs a fixed-scope post-incident engagement focused on the NDB obligations a BEC incident triggers:

• A scope assessment of what personal information was accessible in the compromised mailbox or tenant during the attacker’s window, drawing on mailbox audit logs, sent-items, and attachment inventories.
• An eligible-data-breach determination against the OAIC’s “likely to result in serious harm” test, documented in writing so you have a defensible record of how the conclusion was reached.
• Drafting of the affected-individual notification — the statement to individuals and the practical remediation steps the OAIC expects (password resets, credit monitoring guidance, scam-awareness pointers to ACCC Scamwatch).
• Preparation and submission of the OAIC notification form on your behalf, with your sign-off.
• A short closeout report covering what happened, what was notified, and the residual control gaps that let the BEC succeed in the first place.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope here is the NDB response itself. We are not your incident-response forensics firm and we are not your lawyer; we run the OAIC-facing process and coordinate with whichever specialists you already have engaged.

How it works

1. We confirm the engagement scope on a same-day call, sign an NDA, and request the mailbox audit logs and tenant access (Microsoft 365 or Google Workspace) needed to bound the attacker’s window.
2. We build the access-window inventory — what mailboxes, what date range, what categories of personal information were reachable — and document it.
3. We run the eligible-data-breach determination against the OAIC threshold and write up the reasoning, whether the conclusion is “notify” or “no notification required”.
4. If notification is required, we draft the individual statement and the OAIC submission, walk you and your insurer or lawyer through both, and lodge with your sign-off.
5. We deliver the closeout report and hand back to you a clear picture of the control gaps to fix before the next attempt.

Why this matters in Melbourne

Melbourne concentrates Australia’s mid-market professional services, healthcare practices, and not-for-profits — sectors that routinely hold sensitive personal information in email and that are over-represented in BEC reporting to ACCC Scamwatch. Healthcare in particular is covered by the Privacy Act regardless of turnover, which means a small Melbourne clinic faces the same NDB obligations as a 200-person firm. The cost of getting the NDB response wrong is not just regulatory — it is the loss of trust from clients who find out about a breach via a clumsy notification letter. A Melbourne SMB that runs the NDB process properly within the OAIC’s expected timeframes keeps the regulatory exposure bounded and the client relationships intact.

Sources

• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• Cyber by Exegesis — Notifiable Data Breach Response (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens NDB Response for Melbourne SMBs

We are sequencing engagements by sector and by tenant type (Microsoft 365 first, Google Workspace second). If you are mid-incident, flag that on the waitlist form — we triage active BEC-triggered NDB matters ahead of preventive work.