A data breach in Australia can unravel quickly. What starts as a compromised credential or a misconfigured storage bucket can escalate into a notifiable incident, regulatory scrutiny, and reputational fallout inside a single business day. The organisations that come through breaches with the least lasting damage are not necessarily the ones with the most sophisticated defences. They are the ones that have a clear response plan and execute it calmly under pressure. The first 72 hours are where that plan is tested hardest.
Why 72 hours matters under Australian law
Australia's Notifiable Data Breaches (NDB) scheme, established under Part IIIC of the Privacy Act 1988, does not set a hard 72-hour deadline in the way the EU's GDPR does. However, it does require that organisations notify the Office of the Australian Information Commissioner (OAIC) and affected individuals "as soon as practicable" once they are aware of an eligible data breach. The OAIC's guidance makes clear that delays without adequate justification can compound regulatory risk.
In practice, 72 hours functions as the industry benchmark precisely because it is long enough to gather essential facts, short enough to prevent cover-up concerns, and broadly aligned with the timeframe in which initial containment decisions must be made. Organisations covered by the NDB scheme, which includes most entities with an annual turnover above $3 million, as well as health service providers and certain others regardless of size, need to treat this window seriously. For a full breakdown of notification requirements, see our guide on notifiable data breaches in Australia.
Hour 0–6: contain and convene
The first priority is stopping the bleeding. That means isolating affected systems before investigating them, which is a distinction many teams get wrong. Preservation of evidence matters, but not at the cost of ongoing exfiltration.
- Isolate, don't power down. Pulling a machine from the network preserves volatile memory and running processes. Shutting it down entirely can destroy forensic evidence that may be needed for the OAIC assessment or law enforcement.
- Revoke compromised credentials immediately. If the breach involved an identity-based attack, reset affected accounts and push MFA re-enrolment across the blast radius. Check for lateral movement before assuming scope is limited.
- Convene your incident response team. This should include IT/security, legal, privacy, communications, and executive representation. If your organisation does not have a standing incident response retainer with an external firm, this is when that gap becomes expensive.
- Preserve logs. Cloud audit trails, firewall logs, SIEM alerts, and access records from the relevant window need to be captured and write-protected immediately. Many Australian organisations discover too late that their log retention window is shorter than the breach's dwell time.
Hour 6–24: assess scope and classify the incident
Once the immediate threat is contained, the focus shifts to understanding what data was accessed or exfiltrated and whether the incident meets the threshold for notification under the NDB scheme. An "eligible data breach" under the scheme requires that personal information was accessed or disclosed without authorisation, and that a reasonable person would conclude this is likely to result in serious harm to the affected individuals.
This assessment is not always straightforward. A breach involving encrypted data where the key was not compromised may not reach the notification threshold. A breach involving unencrypted health records or financial credentials almost certainly does. Legal counsel with privacy law experience should be involved in this classification, not just the IT team.
- Map affected data types. Identify whether the breach involved sensitive information under the Privacy Act, including health data, financial details, government identifiers, or credentials.
- Estimate the number of individuals affected. The OAIC's notification form requires this, and the figure informs the scale of the response.
- Document everything. Contemporaneous records of decisions made during incident response carry significant weight in any regulatory or legal proceeding. Use a running incident log, not just retrospective summaries.
- Engage external forensics if needed. For anything beyond a straightforward phishing credential harvest, independent forensic analysis is advisable. Australian firms such as CyberCX operate 24/7 incident response services for exactly this scenario.
Hour 24–48: prepare notifications and engage regulators
If the incident is assessed as an eligible data breach, or if there remains a reasonable belief that it may be, the OAIC notification process should begin. Organisations have 30 days from becoming aware of a suspected eligible breach to complete a formal assessment, but the "as soon as practicable" standard means stalling through that window invites scrutiny.
Notification to the OAIC should include a description of the breach, the type of information involved, an estimate of individuals affected, and the steps being taken in response. Notification to affected individuals requires a similar level of detail, communicated in plain language, with practical advice on steps they can take to protect themselves.
At this stage, most organisations also need to consider whether other regulators are in scope. A breach at a financial services firm may trigger APRA obligations. A health provider breach may involve the Australian Digital Health Agency. State-level privacy legislation may apply in certain cases. Coordinating across these obligations simultaneously is one of the hardest parts of the 72-hour window.
Hour 48–72: remediate, communicate, and review
The final phase of the initial response focuses on closing the door that was opened, telling the right people in the right order, and starting the post-incident review that will shape your posture for the next event.
- Patch or reconfigure the exploited vector. Whether it was an unpatched vulnerability, a misconfigured cloud storage bucket, or a socially engineered employee account, the root cause needs to be addressed before systems are brought back online. Organisations that restore operations too quickly without remediating the initial access point are frequently re-compromised within days.
- Prepare external communications. If the breach is likely to become public, a prepared statement is essential. Reactive, ad hoc communications that contradict each other erode trust faster than the breach itself.
- Brief your leadership and board. Executives need to understand what happened, what is being done, and what the regulatory exposure looks like. Many breaches become governance issues when boards are kept in the dark until it is too late.
- Begin a formal post-incident review. The 72-hour window closes, but the review process opens. Root cause analysis, gap assessment against the Essential Eight maturity model, and updated playbook documentation should all follow within two weeks of containment.
Common mistakes that compound the damage
Several patterns appear consistently in poorly managed Australian breach responses. Understanding them in advance is more useful than discovering them under pressure.
The first is scope underestimation. Organisations frequently assume a breach is limited to the system where they first detected it, only to discover weeks later that lateral movement had occurred. Assuming worst case and scaling back is far safer than assuming limited scope and scaling up too late.
The second is notification delay. Some organisations attempt to remediate fully before notifying the OAIC, hoping to present a cleaner picture. This approach risks breaching the "as soon as practicable" standard and can create the appearance of deliberate concealment, which has far more serious consequences than a timely notification that acknowledges ongoing investigation.
The third is treating incident response as a purely technical function. Privacy counsel, communications professionals, and executive decision-makers need to be active participants from the first hour, not briefed after the technical team has made its decisions.
Preparation is the only real hedge against a chaotic response. Tabletop exercises, documented playbooks reviewed against the NDB scheme, and tested external forensics retainers are what separate organisations that manage breaches gracefully from those that are defined by them.
