Back to Blog
Security30 December 2025

The Real Cost of a Data Breach for an Australian SME

The OAIC says the median cost of a breach is north of $200,000 for small businesses. Here's where the money actually goes — and how to avoid it.

The OAIC publishes breach statistics every six months. In their most recent report, the median cost of a breach for a small or mid-sized Australian business sat just north of $200,000. Here's where the money actually goes — and why the direct costs are only the beginning.

The direct costs

These are the line items on the invoice:

  • Incident response. External forensic investigators, usually $15-30k for a small-to-mid breach.
  • Legal. Notification letters, regulatory correspondence, client communications. $20-60k depending on complexity.
  • Notification costs. Printing, mailing, call centre for affected parties. $5-15k.
  • Remediation. Identifying and closing the gap that caused the breach. $10-40k.
  • Credit monitoring. Often offered to affected individuals for 12 months. $10-25k.

Add those up and you're already at $60-170k before anyone has sued you.

The indirect costs

Harder to quantify but often bigger than the direct costs:

  • Lost clients. The OAIC reports that 30-40% of notified individuals stop doing business with the firm within 12 months of a breach.
  • Reputation damage. Every breach over a certain severity becomes a news story. For professional services firms that rely on trust, this is material.
  • Staff time. Your partners will spend weeks dealing with the fallout instead of billable work.
  • Insurance premium increases. Cyber insurance premiums typically jump 2-3x after a claim.

The regulatory costs

Under the Privacy Act, the OAIC can impose civil penalties of up to $2.5m for individuals and $50m for bodies corporate. These are theoretical ceilings for most breaches, but recent enforcement actions show the regulator is moving toward real penalties for serious or repeat failures.

The true number

Add up direct costs, indirect costs, regulatory costs, and opportunity cost (the revenue you didn't earn while your partners were firefighting), and a "median" breach for a 20-person firm lands between $400k and $1.2m. For a larger firm or a more serious breach, the numbers are much higher.

What you can do for a fraction of that

A data room with proper access controls costs a few hundred dollars a month. A password manager is $5 per user. Two-factor authentication is free. A quarterly permissions audit takes an hour. For roughly $5,000 a year you can close 80% of the breach vectors that hit small firms. The economics are not subtle.