Frontrow Technology
← All insights & guides
Guide

Incident response

Data breach response plan Australia — the first 72 hours, step by step

What an Australian business must do in the first 72 hours of a data breach: containment, evidence, the Privacy Act serious-harm assessment, OAIC and ACSC reporting, and the ransomware payment reporting rule, hour by hour.

Sam Williams · Last reviewed 3 July 2026 · 10 min read

The first 72 hours of a data breach decide most of what follows: how far the attacker gets, whether the evidence survives, whether the regulator sees a competent response or a scramble, and how much of the story the organisation gets to tell in its own words. This is the hour-by-hour sequence Frontrow works through with Australian mid-market organisations, written to be lifted into an incident response plan before it is needed. The legal frame underneath it is the Privacy Act 1988's Notifiable Data Breaches (NDB) scheme, plus newer reporting obligations noted below.

Hour 0–1: contain, and start the log

  • Isolate affected systems: disable compromised accounts, revoke active sessions and tokens in Microsoft Entra ID, isolate affected endpoints in Defender. Contain first, investigate second.
  • Do not wipe or rebuild anything yet. Reimaging a compromised laptop in hour one destroys the forensic record the insurer, investigators and regulator will all want.
  • Start a timestamped incident log immediately: who found what, when, and every action taken. This log becomes the backbone of the OAIC statement, the insurance claim and the board report.
  • Declare the incident internally and name a single incident lead. Committees do not contain breaches.

Hour 1–4: assemble and notify inward

  • Stand up the response team: incident lead, IT/security, legal or privacy officer, communications, and the executive owner. Small organisations may hold four of those hats on two heads; name them anyway.
  • Call the cyber insurer's hotline before commissioning external help. Most policies require notification before costs are incurred, and many appoint their own forensic panel.
  • Engage legal advice early if personal information is plausibly involved. Legal professional privilege over the investigation is a decision for hour two, not day five.
  • Move sensitive coordination off the potentially compromised tenant if account compromise is suspected: an out-of-band channel such as phone or Signal, until identity is verifiably clean.

Hour 4–24: scope, evidence, and external reporting

  • Establish what data was actually touched. Entra ID sign-in logs, the unified audit log in Purview, mailbox audit records and Defender timelines answer the question 'what could this account reach, and what did it reach'. This scoping determines every legal obligation that follows.
  • Preserve evidence deliberately: export relevant logs before retention windows roll, snapshot affected VMs, keep the compromised device powered but isolated.
  • Report the incident to the Australian Signals Directorate via ReportCyber. For critical infrastructure entities covered by the SOCI Act, mandatory clocks are short: critical incidents within 12 hours, other significant incidents within 72 (confirm current rules against your obligations register).
  • Reset credentials in the right order: attacker persistence first (rogue app registrations, inbox rules, MFA method changes, forwarding rules), then compromised accounts, then any account the compromised ones could administer.

Hour 24–48: the serious-harm assessment

Under the NDB scheme, an eligible data breach exists when personal information has been accessed or disclosed without authorisation (or lost where access is likely), and a reasonable person would conclude the access is likely to result in serious harm to any affected individual, and remedial action has not removed that likelihood. The assessment weighs the kind of information (identity documents, financial and health data rank highest), whether protections such as encryption held, who has the data, and what remediation has already achieved. The Privacy Act allows up to 30 days for this assessment where the breach is only suspected, but 30 days is a ceiling, not a target: an organisation that knows by hour 36 should act by hour 36. Document the assessment and its reasoning even if the conclusion is that notification is not required; the reasoning is what the OAIC will ask for.

Hour 48–72: notify outward and steady the ship

  • If the breach is eligible, notify the OAIC via its online NDB form and notify affected individuals as soon as practicable. The statement must describe the breach, the information involved and the steps individuals should take.
  • Write the individual notification for the reader, not the lawyer: what happened, what of theirs is affected, what the organisation has done, what they should do (credential resets, IDCARE's services, credit monitoring where identity documents are involved), and a real contact channel that will be staffed.
  • Brief staff before the public knows, with a short holding line and a clear instruction on where to route enquiries. Frontline staff finding out from customers is an avoidable second incident.
  • Board and executive briefing with the facts as known, the uncertainty as it stands, and the decision points ahead. Serious and repeated privacy failures now carry penalties for bodies corporate up to the greater of AU$50 million, three times any benefit obtained, or 30 per cent of adjusted turnover, which is generally sufficient to secure the board's attention.

After hour 72

Recovery, hardening and the post-incident review follow, and they go better when the first 72 hours were orderly. The uncomfortable finding in most Australian post-incident reviews is that the response went badly not because the plan was wrong but because there was no plan: nobody knew who declared an incident, where the insurer's number was, or that the 30-day assessment window existed. The fix costs an afternoon. Write the plan, put the phone numbers in it, and run one tabletop exercise a year. Frontrow's NDB readiness tool below scores an organisation against exactly these preparation gaps, and the Essential Eight assessment at frontrowtech.com.au/tools/essential-eight scores the controls that make the breach less likely in the first place.

Try it

Score your NDB readiness in five minutes

The Notifiable Data Breach readiness tool walks the preparation questions above (plan, roles, assessment process, notification machinery) and returns a graded gap list to take to the next executive meeting.

10 questions · 5 domains

Notifiable Data Breach Readiness Check

Under the NDB scheme you have 30 days from awareness to assess whether a breach is notifiable, and you must then notify OAIC and affected individuals as soon as practicable. Score whether your Microsoft 365 tenant can detect, scope, notify, remediate and improve fast enough to meet the clock. Pick the option closest to your tenant today.

Domain 1

Detect

Mean time to detect a personal information breach. Without detection, the 30-day clock never starts and the breach gets discovered when an affected individual raises it.

  • What's your estimated mean time to detect a personal-information breach in your M365 tenant?

    Source: OAIC Notifiable Data Breaches Report (median discovery times); Microsoft Learn: Microsoft Defender XDR.

  • What's your Purview Audit log retention?

    Source: Microsoft Learn: Microsoft Purview Audit (Premium); Audit log retention policies.

Domain 2

Scope

How quickly you can determine which individuals' personal information was accessed, exfiltrated or modified. The scoping work is what feeds the OAIC notification.

  • Can you reconstruct the scope of a data exposure (which files accessed, by whom, exfiltrated where) within 7 business days?

    Source: Microsoft Learn: Microsoft Purview eDiscovery (Premium); Microsoft Defender for Cloud Apps file investigation.

  • Can you determine which categories of personal information were involved (health, financial, government identifier) without a manual file-by-file review?

    Source: Microsoft Learn: Microsoft Purview sensitive information types; Trainable classifiers in Microsoft Purview.

Domain 3

Notify

Whether you have a documented notification flow, OAIC contact established, communications templates ready, and legal review pre-arranged.

  • Do you have a documented notifiable data breach response runbook covering OAIC notification, individual notification and stakeholder communications?

    Source: OAIC Notifiable Data Breaches scheme — entity guidance; Privacy Act 1988 s 26WK (notification timing).

  • Are individual notification templates pre-drafted and legally reviewed?

    Source: OAIC: Notifying individuals about an eligible data breach; Privacy Act 1988 s 26WL.

Domain 4

Remediate

Whether the organisation can contain the breach (rotate credentials, revoke tokens, disable accounts, isolate devices) within hours, and preserve evidence for forensic analysis.

  • Do you have containment runbooks for the common breach patterns (compromised user, compromised service principal, compromised endpoint)?

    Source: Microsoft Learn: Investigate and respond to incidents in Microsoft Defender XDR; Microsoft Sentinel automation rules and playbooks.

  • How is evidence preserved during containment to support OAIC investigation and post-incident review?

    Source: Microsoft Learn: Microsoft Purview Audit; Microsoft Defender for Endpoint live response; ISO 27037 digital evidence handling.

Domain 5

Continuous improvement

Whether tabletop exercises run, post-incident reviews update controls, and OAIC published trends inform internal control updates.

  • When did you last run a tabletop exercise for a notifiable data breach scenario?

    Source: OAIC Notifiable Data Breaches Report (sectoral trends); ASD Cyber Incident Response Plan guidance.

  • After a real or simulated incident, how are control updates tracked through to closure?

    Source: ASD Cyber Incident Response Plan guidance; ISO 27035 information security incident management.

This is an indicative self-assessment. It is not a substitute for an incident readiness exercise or legal advice. Frontrow Technology offers a Notifiable Data Breach readiness review with a tabletop exercise.

Common questions

Frequently asked

Do Australian businesses have to report a data breach within 72 hours?
Not under the Privacy Act, which requires notifying the OAIC and affected individuals as soon as practicable once an eligible data breach is identified, with up to 30 days to assess a suspected breach. The hard 72-hour clocks in Australia are narrower: ransomware payment reporting under the Cyber Security Act 2024, and significant-incident reporting for critical infrastructure entities under the SOCI Act. The 72-hour frame remains the right operational target regardless, because evidence, containment and communications all degrade quickly.
What counts as an eligible data breach under the NDB scheme?
Unauthorised access to or disclosure of personal information (or loss where access is likely), where a reasonable person would conclude serious harm to any affected individual is likely, and remedial action has not removed that likelihood. Identity documents, financial details and health information weigh heaviest in the serious-harm assessment.
Does the NDB scheme apply to small businesses?
The Privacy Act generally applies to organisations with annual turnover above AU$3 million, plus smaller entities in specific categories such as health service providers and those trading in personal information. Reform to the small-business exemption has been under discussion; treat current coverage as something to confirm with legal advice rather than assume.
Should a business pay a ransom to prevent data being leaked?
The Australian Government advises against paying: payment funds further crime, offers no guarantee of deletion, and does not remove notification obligations since the data was still accessed. Any business above the turnover threshold that does pay must report the payment within 72 hours under the Cyber Security Act 2024. The better spend is on the controls and the response plan before the event.

Want Frontrow to run this with your team?

A 30-minute call with a senior consultant. No deck. Frontrow walks through your tenant, your priorities and the next sensible move.