Notifiable Data Breach Response for Perth SMBs After Business Email Compromise: Work Out What You Owe the OAIC, and What You Owe Your Customers

Your bookkeeper’s mailbox was sitting open to an attacker for about eleven days. You found it because a client rang to ask why your invoice had different bank details. The IT provider has changed passwords and turned on MFA. Now the harder question is in front of you: that mailbox contained client records, contracts, ID documents, and payment details — does this trigger the OAIC’s Notifiable Data Breaches scheme, and if it does, who do you tell, when, and how? Notifiable Data Breach Response from Cyber by Exegesis is the engagement designed to take a Perth SMB through that decision in days, not weeks.

The problem

Business email compromise is the highest-loss SMB cyber category reported to ACCC Scamwatch, but the loss almost never stops at the redirected invoice. A mailbox compromise is a data compromise. Anything the attacker could read — client PII, tax file numbers, ID scans, contract terms, banking details, health information — is now potentially in their hands. Under the OAIC Notifiable Data Breaches scheme (Part IIIC of the Privacy Act 1988), an “eligible data breach” that is likely to result in serious harm must be notified to the OAIC and to the affected individuals.

The hard part for an SMB is not the legal definition. It is doing the assessment honestly and quickly: what was actually in that mailbox, who is affected, is serious harm likely, and what does the notification need to say. Most SMBs without a privacy officer have never done this before. The 30-day assessment window in the scheme is shorter than it sounds when you are also trying to recover money, rebuild trust with clients, and keep the business running.

What Notifiable Data Breach Response does

Cyber by Exegesis runs a fixed-scope post-incident engagement focused on the NDB obligation specifically:

• A scope assessment of what data was accessible during the compromise window — mailbox contents, attachments, shared drives reachable from the account, and any forwarded data we can identify from the mailbox-rules audit.
• An eligible-data-breach determination against the OAIC NDB scheme criteria, documented in a written assessment we can hand to your lawyers, your insurer, or the OAIC itself.
• Drafting of the affected-individual notification — plain English, what happened, what data was involved, what steps individuals should take, and how to contact you.
• Preparation and submission of the OAIC notification form, working from the OAIC’s published guidance on what an eligible data breach statement must contain.
• A short closeout report listing what was notified, what was decided not to notify (with reasons), and the residual controls work we recommend to close the gap that allowed the BEC in the first place.

Cyber by Exegesis is the cyber consultancy line of Exegesis — the same company behind the DRMO live product. Our scope here is the NDB response itself. We are not your lawyer, your forensic investigator, or your insurer; we run the assessment and notification work and coordinate with those parties.

How it works

1. We confirm scope on a same-day call, identify the compromised account(s) and the suspected access window, and request read-only access to the email tenant and any logs your IT provider has preserved.
2. We pull mailbox contents, audit logs, and mailbox-rules state for the compromise window, and build a data-categories register — what types of personal information were reachable, and for which individuals.
3. We run the eligible-data-breach assessment against the OAIC NDB criteria and document the reasoning, including any remedial action that may avoid serious harm under the scheme.
4. If notification is required, we draft the affected-individual notice and the OAIC statement, walk you through both, and submit on your instruction.
5. We deliver the closeout report and hand the residual controls work back to your IT provider or to a follow-up Cyber by Exegesis engagement.

Why this matters in Perth

Perth SMBs are over-represented in two sectors that hold dense customer PII — mining services contractors and professional services firms supporting the resources industry. Both move large invoices on supplier-payment cycles, which is exactly the operating pattern BEC targets. When a Perth SMB’s mailbox is compromised, the data exposure typically includes contractor ID documents, banking details, and contract terms covering individuals across multiple states. The NDB obligation does not pause for the time-zone gap with the OAIC in Sydney. A Perth SMB that runs the assessment promptly, notifies cleanly, and documents its reasoning is in a materially stronger position with the OAIC, with affected clients, and with its insurer than one that drifts past the 30-day window.

Sources

• OAIC Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
• ACCC Scamwatch (National Anti-Scam Centre): https://www.scamwatch.gov.au/
• ACSC Small Business Cyber Security Guide: https://www.cyber.gov.au/protect-yourself/resources-protect-yourself/personal-cyber-security-guides
• Cyber by Exegesis — Notifiable Data Breach Response (waitlist)

Join the waitlist

Join the waitlist — first access when Cyber by Exegesis opens NDB Response for Perth SMBs

We are sequencing post-incident engagements by urgency and by tenant type (Microsoft 365 first, Google Workspace second). Join the waitlist with your sector and a short note on whether you are currently in an active incident — active matters jump the queue.