Back to Blog
Security30 December 2025

The Real Cost of a Data Breach for an Australian SME

The OAIC says the median cost of a breach is north of $200,000 for small businesses. Here's where the money actually goes, and how to avoid it.

The OAIC publishes breach statistics every six months. In their most recent report, the median cost of a breach for a small or mid-sized Australian business sat just north of $200,000. Here's where the money actually goes, and why the direct costs are only the beginning.

The direct costs

These are the line items on the invoice:

  • Incident response. External forensic investigators, usually $15-30k for a small-to-mid breach.
  • Legal. Notification letters, regulatory correspondence, client communications. $20-60k depending on complexity.
  • Notification costs. Printing, mailing, call centre for affected parties. $5-15k.
  • Remediation. Identifying and closing the gap that caused the breach. $10-40k.
  • Credit monitoring. Often offered to affected individuals for 12 months. $10-25k.

Add those up and you're already at $60-170k before anyone has sued you.

The indirect costs

Harder to quantify but often bigger than the direct costs:

  • Lost clients. The OAIC reports that 30-40% of notified individuals stop doing business with the firm within 12 months of a breach.
  • Reputation damage. Every breach over a certain severity becomes a news story. For professional services firms that rely on trust, this is material.
  • Staff time. Your partners will spend weeks dealing with the fallout instead of billable work.
  • Insurance premium increases. Cyber insurance premiums typically jump 2-3x after a claim.

The regulatory costs

Under the Privacy Act, the OAIC can impose civil penalties of up to $2.5m for individuals and $50m for bodies corporate. These are theoretical ceilings for most breaches, but recent enforcement actions show the regulator is moving toward real penalties for serious or repeat failures.

The true number

Add up direct costs, indirect costs, regulatory costs, and opportunity cost (the revenue you didn't earn while your partners were firefighting), and a "median" breach for a 20-person firm lands between $400k and $1.2m. For a larger firm or a more serious breach, the numbers are much higher.

A realistic scenario

A 15-person accounting firm shares a client's financials via a Google Drive link set to "anyone with the link." A staffer forwards it to a personal address to work from home. Months later that inbox is compromised in an unrelated phishing attack, and the client's TFN and bank details are in the dump. Now the firm is into forensic costs, an OAIC notification, letters to the client, an awkward conversation that loses the client and two referrals, and a cyber-insurance renewal at triple the premium. No one "hacked" the firm — a convenient sharing default did the damage. That's the median breach, and it's almost always preventable.

What you can do for a fraction of that

A data room with proper access controls costs a few hundred dollars a month. A password manager is $5 per user. Two-factor authentication is free. A quarterly permissions audit takes an hour. For roughly $5,000 a year you can close 80% of the breach vectors that hit small firms. The economics are not subtle.

Frequently asked questions

Is $200k really the median for a small business? Once you add direct response costs, lost clients, staff time and premium increases, a mid-sized professional-services breach commonly lands in the $400k–$1.2m range — the headline "median" understates the all-in cost. What's the single highest-leverage fix? Stop sharing sensitive documents via open links and email; move external sharing into an access-controlled, audited data room. Does cyber insurance cover it? Partially — but insurers increasingly require demonstrable controls, and a claim raises your premium for years, so prevention is still far cheaper than recovery.

Related reading