What to Do After a Data Breach: A Step-by-Step Guide for Australian Businesses

Discovering that your business has suffered a data breach is stressful. Your first instinct might be to panic — or worse, to hope it was not that serious and do nothing. Neither response serves you or your customers well. What matters most in the immediate aftermath is acting quickly, methodically, and within your legal obligations. This guide walks you through exactly what to do, step by step.

Before Anything Else: Stay Calm and Act Fast

The decisions you make in the first few hours after discovering a breach can significantly affect how much damage is done. Speed matters — both for limiting the technical impact and for meeting your legal notification obligations under Australian law. Gather the key people in your business, take a breath, and work through the steps below in order.

Step 1: Contain the Breach

Your immediate priority is to stop the attacker from doing more damage.

• Isolate affected systems: Disconnect any device or server you believe has been compromised from your network and the internet. Do not turn it off — preserving the device in its current state may be important for forensic investigation later.
• Change compromised credentials immediately: If account passwords have been stolen or used, change them now. Start with email, banking, and any cloud services with access to sensitive data.
• Revoke active sessions: Most platforms allow you to sign out all active sessions. Do this for any accounts you believe were accessed without authorisation.
• Enable MFA on affected accounts if it was not already active.
• Preserve logs: Do not delete or modify any system logs, emails, or records related to the incident — these will be critical for understanding what happened and for any regulatory or legal process.

Step 2: Assess the Scope

Once you have contained the immediate threat, work out what actually happened.

• What systems or accounts were accessed?
• What data was stored in those systems? This might include customer names, email addresses, payment card details, health information, tax file numbers, or other personal information.
• How many individuals are affected?
• How did the attacker get in? (Phishing, stolen credentials, unpatched software, third-party access?)
• Is the attacker still active in your systems?

You may not be able to answer all of these questions immediately, and that is okay. Document what you know, note what you are still investigating, and engage an IT security professional or managed service provider if you need technical help determining the scope.

Step 3: Notify the Right People

Australian law imposes specific notification obligations on businesses covered by the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988. The NDB scheme applies to:

• Businesses with an annual turnover of $3 million or more
• Health service providers of any size
• Businesses that trade in personal information, or certain other categories defined in the Act

If your business is covered and the breach is likely to result in serious harm to affected individuals, you must:

1. Notify the Office of the Australian Information Commissioner (OAIC) within 30 days of becoming aware that an eligible data breach has occurred. Notification is made online at oaic.gov.au.
2. Notify affected individuals as soon as practicable. The notification should include what happened, what data was involved, what steps you are taking, and what affected individuals should do to protect themselves.

Additionally, regardless of NDB obligations:

• Report the cyber incident to the ACSC via ReportCyber at cyber.gov.au/report. This helps the ACSC understand the threat landscape and may trigger assistance.
• Notify your bank immediately if financial data, payment card details, or bank account information was compromised.
• Notify your cyber insurance provider if you hold a policy — most policies require prompt notification of incidents.
• Consult a lawyer if you are uncertain about your obligations or if the breach involves significant data volumes or sensitive categories of information.

Step 4: Investigate and Fix the Root Cause

Once the immediate crisis is managed, conduct a thorough investigation to understand exactly how the breach occurred. Do not skip this step — if you do not fix the underlying vulnerability, you risk being breached again.

• Engage an IT security professional to conduct a forensic review if needed.
• Patch or remediate the vulnerability that allowed the breach (unpatched software, weak password, misconfigured access controls, etc.).
• Review your security logs to confirm the attacker no longer has access.
• Check whether any backdoors, additional accounts, or malware were installed during the breach.

Step 5: Review and Improve

Every breach is an opportunity to build a stronger security posture. After the immediate response is complete:

• Document what happened, what you did, and what you have changed — this is your incident report.
• Review your security policies and controls and update anything that was found wanting.
• Brief your staff on what happened and what to look out for.
• Consider whether your backup systems worked as expected and whether you could recover quickly if attacked again.
• Review your cyber insurance coverage and whether it met your needs.

A data breach is serious, but businesses that respond well — quickly, transparently, and thoroughly — typically recover their reputation and customer trust. The businesses that suffer lasting damage are usually those that were slow to act or tried to conceal what happened.