Data Breach Response Policy

Purpose

This document provides Lucrii’s internal procedures for responding to suspected or confirmed data breaches in accordance with:

Privacy Act 1988 (Cth) - Notifiable Data Breaches (NDB) scheme
Lucrii Privacy Policy commitments
Best practice incident response

1. What is a Notifiable Data Breach?

Under the NDB scheme, a data breach is “notifiable” if:

There is unauthorised access to, or unauthorised disclosure of, personal information, OR a loss of personal information that Lucrii holds, AND
This is likely to result in serious harm to one or more individuals whose personal information is involved in the breach

“Serious harm” includes:

Identity theft or fraud
Financial loss
Damage to reputation or relationships
Physical or psychological harm
Harassment or stalking

QUICK START: Breach Response Checklist

If you’ve just discovered a potential breach, follow these steps immediately:

STOP - Do not delete logs or attempt to fix the issue yourself
NOTIFY (within 30 minutes):
- Anthony Di Carlo
- Braiden Stiller
- Subject line: “URGENT: POTENTIAL DATA BREACH”
DOCUMENT in your notification:
- When discovered (date/time)
- What was discovered
- How it was discovered
- Initial severity assessment
PRESERVE EVIDENCE - Do not delete anything

2. Breach Response Team

2.1 Core Team

Breach Response Lead: Anthony Di Carlo (Co-founder / CEO)

Overall command and decision-making authority
OAIC liaison
Customer communications approval

Technical Lead: Braiden Stiller (Co-founder / CTO)

Technical investigation
Containment and remediation
AWS/infrastructure liaison

Communications Lead: [To be assigned - Primary: TBD | Backup: Anthony Di Carlo]

Customer notification drafting
Internal communications
Media response (if required)

2.2 Extended Team (As Needed)

External cyber security consultant (if breach is sophisticated)
Legal counsel (for regulatory advice)
Accountant (for insurance claims, if applicable)

3. Breach Response Phases

PHASE 1: Detection and Initial Assessment (0-2 Hours)

3.1 How Breaches May Be Detected

Potential breach indicators:

Unusual AWS alerts or access logs
Customer reports of suspicious activity
Suspicious login attempts or unusual account activity
Third-party security researcher disclosure
PostHog or AWS security event notifications
Employee discovery of unauthorised access

3.2 Immediate Actions (Within 30 Minutes)

Person who discovers potential breach:

STOP and DO NOT:

Delete any logs or evidence
Attempt to “fix” the issue yourself (unless it’s simple password reset)
Post about it on Slack or discuss publicly

IMMEDIATELY notify:

Anthony Di Carlo
Braiden Stiller
Use subject line: “URGENT: POTENTIAL DATA BREACH”

Include in notification:

When discovered (date/time)
What was discovered (describe the incident)
How it was discovered (alert, customer report, etc.)
Initial assessment of severity (Low/Medium/High/Critical)
Any immediate steps already taken

3.3 Breach Response Lead Actions (Within 1 Hour)

Anthony Di Carlo:

Assemble the Breach Response Team (call/Slack/in-person)
Conduct Initial Risk Assessment:
- What personal information may be affected?
- How many customers/individuals potentially impacted?
- What is the potential for serious harm?
- Is this a notifiable breach under the NDB scheme?
Activate Containment (Technical Lead)
Document everything in Breach Incident Log (see Appendix A)

PHASE 2: Containment and Investigation (2-24 Hours)

3.4 Immediate Containment (Within 2 Hours)

Technical Lead (Braiden Stiller):

Stop the bleeding:

Isolate affected systems/servers
Revoke compromised access credentials
Block suspicious IP addresses
Disable compromised user accounts
Implement temporary security controls

Preserve evidence:

Take AWS snapshots of affected systems
Export relevant logs (do NOT delete)
Screenshot AWS CloudTrail, access logs
Document all containment actions taken

Assess scope:

Which Lucrii systems were accessed?
What data was accessed/exfiltrated?
When did the breach start and end?
How did the attacker gain access?

3.5 Initial Customer Notification (Within 24 Hours)

Per Lucrii Privacy Policy commitment: Notify all customers within 24 hours of identifying a potential breach

Communications Lead drafts, Breach Response Lead approves:

Email Template: Initial Breach Notification

Subject: Important Security Notice - Lucrii Data Incident

Dear [Customer Name],

We are writing to inform you that Lucrii has identified a potential data security incident that may affect your account.

What Happened: On [date], we discovered [brief description of the incident, e.g., “unauthorised access to our system”]. We immediately took action to contain the incident and launched an investigation.

What We Know So Far:

The incident was detected on [date/time]
We have [contained the issue / secured the affected systems]
At this time, we are still investigating what data, if any, has been compromised

What We Don’t Know Yet:

The full scope of data that may have been accessed
Whether your specific account data was affected
The identity of the individual(s) responsible

What We’re Doing:

Conducting a thorough investigation
Implementing additional security measures
Working with [cyber security experts / AWS security team] to assess the incident
Notifying relevant authorities as required

What You Should Do:

We recommend changing your Lucrii password immediately: [link to password reset]
If you use the same password for other services, change those as well
Monitor your business accounts for suspicious activity
Enable Two-Factor Authentication (2FA) if you haven’t already: [link to 2FA setup]

What Happens Next: We will provide you with an update within [2-3 business days] with more details about what data was affected and further steps you should take.

If you have immediate questions or concerns, please contact our support team at support@lucrii.io.

We sincerely apologise for this incident and any inconvenience it may cause. Protecting your data is our top priority, and we are committed to keeping you informed throughout this process.

Sincerely,

Anthony Di Carlo
Co-founder & CEO
Lucrii Pty Ltd
ABN 46 694 710 211 / ACN 694 710 211

Delivery:

Send to: All active Lucrii customers
CC: Breach Response Team
Archive: Copy to Breach Incident folder

Definition of “active customers”: All customers with Lucrii accounts who have not explicitly cancelled or whose accounts have not been terminated. This includes:

Paid subscribers
Trial users
Inactive accounts (unless formally closed)

PHASE 3: Full Investigation and Assessment (24 Hours - 7 Days)

3.6 Detailed Forensic Investigation

Technical Lead + External Consultant (if needed):

Determine root cause:

Was it a phishing attack?
Software vulnerability?
Insider threat?
Third-party compromise?

Map the attack timeline:

When did the attacker first gain access?
What actions did they take?
When did they leave/get blocked?

Identify affected data:

Exactly what personal information was accessed?
Customer names, emails, business data?
Sensitive information (financial, health)?
How many individual records?

Assess likelihood of serious harm:

Could this lead to identity theft, fraud, financial loss?
Is the data encrypted? (reduces harm)
Was data exfiltrated or just accessed?
Is there evidence of data being misused?

3.7 NDB Notification Decision

Breach Response Lead (Anthony Di Carlo) must determine whether this is a notifiable breach:

Legal deadline: Within 30 days of becoming aware of the breach (Privacy Act requirement)

Is this an “eligible data breach” under the NDB scheme?

Use this flowchart:

Was there unauthorised access/disclosure or loss of personal information?
├─ NO → Not notifiable (document decision, implement remediation)
└─ YES → Continue ↓

Is it likely to result in serious harm to individuals?
├─ NO → Not notifiable (document decision, implement remediation)
└─ YES → Continue ↓

Can remediation action prevent serious harm?
├─ YES → Not notifiable (document remediation, assess effectiveness)
└─ NO → NOTIFIABLE BREACH → Notify OAIC + affected individuals

Document the decision in writing even if determined not notifiable.

PHASE 4: Notification (If Eligible Data Breach)

4.8 OAIC Notification

Deadline: As soon as practicable after becoming aware the breach is likely to result in serious harm (typically within 72 hours of making the determination)

Method: Online form at https://www.oaic.gov.au/privacy/notifiable-data-breaches/submit-a-data-breach-notification

Information to provide:

Lucrii’s contact details (Lucrii Pty Ltd, ABN 46 694 710 211, PO Box 784, New Farm, QLD 4005)
Description of the breach
Kind(s) of personal information involved
Recommendations for individuals to mitigate harm
Contact details for individuals to obtain more information (support@lucrii.io)

Breach Response Lead submits notification

4.9 Individual Notification

Deadline: As soon as practicable after notifying OAIC (ideally same day)

Method:

Email (primary method)
In-app notification
Phone call for high-risk cases

Must include:

Identity and contact details of Lucrii
Description of the breach
Kind(s) of personal information involved
Recommendations to mitigate potential harm
Contact details for more information

Email Template: Final Breach Notification

Subject: Important: Lucrii Data Breach - Action Required

Dear [Customer Name],

We are writing to inform you of a data security incident at Lucrii that has affected your personal information.

What Happened: On [date], we discovered that [specific description of breach]. Our investigation has confirmed that unauthorised individuals gained access to our system between [start date] and [end date].

What Information Was Affected: The following types of personal information were accessed:

[Specific data types: e.g., names, email addresses, business contact details]
[If applicable: financial information, purchase history, etc.]

[If customer-specific:] Based on our investigation, the following information from your account was accessed:

[List specific data]

What We’ve Done:

Contained the breach and secured our systems
Engaged external cyber security experts to conduct a forensic investigation
Implemented additional security measures including [specific measures]
Notified the Office of the Australian Information Commissioner (OAIC) as required

What You Should Do Immediately:

Change your Lucrii password: [link]
If you use the same password elsewhere, change those passwords
Enable Two-Factor Authentication (2FA): [link]
[If financial data affected:] Monitor your financial accounts for suspicious activity
[If credit card data affected:] Contact your bank to discuss whether to cancel/reissue cards
Be alert for phishing emails that may reference this incident

What We’re Doing to Prevent This:

[Specific remediation steps, e.g., “Implementing enhanced access controls”]
[E.g., “Conducting a full security audit of our infrastructure”]
[E.g., “Providing mandatory security training for all Lucrii staff”]

More Information:

Full incident report: [link to detailed report on website]
FAQ: [link]
Contact us: support@lucrii.io

We sincerely apologise for this incident. Protecting your data is our highest priority, and we are committed to preventing incidents like this in the future.

If you have questions or need assistance, please don’t hesitate to contact us.

Sincerely,

Anthony Di Carlo
Co-founder & CEO
Lucrii Pty Ltd
ABN 46 694 710 211 / ACN 694 710 211
PO Box 784, New Farm, QLD 4005

PHASE 5: Remediation and Prevention (Ongoing)

4.10 Immediate Remediation

Technical Lead:

Patch the vulnerability that allowed the breach
Implement additional security controls:
- Enhanced logging and monitoring
- Stricter access controls
- Additional encryption
- Network segmentation
Conduct security audit:
- Review all AWS configurations
- Review all user access permissions
- Test Lucrii application for similar vulnerabilities

4.11 Formal Incident Report

Breach Response Lead prepares within 14 days of containment:

Incident Report Contents:

Executive summary
Timeline of events
Root cause analysis
Data affected (types and volume)
Number of individuals affected
Containment actions taken
Notification actions (OAIC, customers)
Remediation implemented
Lessons learned
Preventive measures for future

Distribution:

Internal: All Lucrii team members
External: Available to affected customers on request
Board/investors (if applicable)

4.12 Post-Incident Review

Breach Response Team meets within 30 days:

Agenda:

What went well?
What went poorly?
What should we change in this protocol?
What additional security measures are needed?
Training gaps identified?

Update this NDB Protocol document based on lessons learned.

5. Communication Guidelines

5.1 Internal Communications

During active breach response:

Use dedicated Slack channel: #incident-response
No discussion in public channels
No posting to social media or external platforms
Mark all documents CONFIDENTIAL

5.2 External Communications

Media inquiries:

Refer all media to Breach Response Lead
Do not comment to media without authorisation
Use approved holding statement (see Appendix B)

Customer inquiries:

Direct to support@lucrii.io
Use approved FAQ (to be created during incident)
Be honest, transparent, empathetic

5.3 Tone and Messaging Principles

Be transparent: Don’t hide or minimise
Be accountable: Take responsibility
Be empathetic: Acknowledge impact on customers
Be action-oriented: Focus on what you’re doing to fix it
Be clear: Avoid jargon, explain in plain language

6. Record Keeping

6.1 Breach Incident Log

For every suspected breach, maintain a log containing:

Date/time breach discovered
How it was discovered
Initial assessment
Containment actions and timeline
Investigation findings
NDB determination (notifiable or not, with reasoning)
Notifications sent (OAIC, customers, dates)
Remediation actions
Post-incident review outcomes

Store in: Secure folder on AWS (encrypted), accessible only to Breach Response Team
Retention: 7 years (required for regulatory compliance)
Template: Refer to Appendix A.

6.2 Evidence Preservation

Preserve for at least 2 years:

System logs
AWS CloudTrail logs
Email communications
Investigation reports
Legal/OAIC correspondence

7. Training and Testing

7.1 Annual Training

All Lucrii staff must complete annually:

Data breach awareness training
How to recognise a potential breach
How to report a suspected breach
Their role in breach response

7.2 Tabletop Exercises

Conduct tabletop exercise every 6 months:

Scenario examples:

AWS account compromise via phishing
Ransomware attack
Insider threat (employee data theft)
Third-party integration breach (e.g., PostHog compromised)

Participants: All Breach Response Team members

Goals:

Practice decision-making
Test communication protocols
Identify gaps in this protocol
Build muscle memory

8. Legal and Regulatory References

Privacy Act 1988 (Cth):

Part IIIC - Notifiable Data Breaches Scheme

OAIC Resources:

Notifiable Data Breaches scheme: https://www.oaic.gov.au/privacy/notifiable-data-breaches
Data breach preparation and response guide: https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response

Penalties for Non-Compliance:

Failure to notify: Civil penalties up to $2.5 million (for companies)
Serious or repeated interferences with privacy: Up to $50 million or 30% of adjusted turnover

9. Insurance

Cyber Insurance Policy:

Policy number: [To be obtained]
Insurer: [To be selected]
Coverage: [Data breach response costs, legal fees, notification costs, business interruption]
Claims contact: [Insert]

Notify the insurer within 24 hours of breach discovery.

10. Contact Information (Quick Reference)

Internal

Role	Name
Breach Response Lead	Anthony Di Carlo
Technical Lead	Braiden Stiller
Communications Lead	[Primary: TBD] \| Backup: Anthony Di Carlo

External

Entity	Contact	Details
OAIC	Submit notification	https://www.oaic.gov.au/privacy/notifiable-data-breaches/submit-a-data-breach-notification
OAIC Enquiries Line	Phone	1300 363 992
AWS Security	Email	aws-security@amazon.com
Cyber Security Consultant	[TBD]	[Contact]
Legal Counsel	[TBD]	[Contact]
Cyber Insurance	[TBD]	[Contact]

11. Lucrii Company Information

Legal Entity:
Lucrii Pty Ltd
ABN 46 694 710 211 / ACN 694 710 211

Registered Address:
PO Box 784
New Farm, QLD 4005

Websites:
https://lucrii.io/
https://lucrii.ai/
https://app.lucrii.io/

APPENDIX A: Breach Incident Log Template

Category / Field	Details
INCIDENT OVERVIEW
Incident ID	[e.g., NDB-2025-001]
Status	[Suspected / Confirmed / Resolved]
DISCOVERY
Date/Time Discovered
Discovered By
How Discovered
INITIAL ASSESSMENT
Severity	[Low / Medium / High / Critical]
Affected Systems
Estimated # of Records
Types of Data Potentially Affected
Initial Risk of Serious Harm	[Low / Medium / High]
CONTAINMENT
Date/Time Contained
Containment Actions Taken
Systems Secured
INVESTIGATION
Investigation Lead
Root Cause
Attack Vector
Timeline of Breach	[Start - End]
Data Confirmed Affected
# of Individuals Affected
NDB DETERMINATION
Is this a Notifiable Data Breach?	[Yes / No]
Reasoning
Decision Made By
Date of Determination
NOTIFICATIONS
OAIC Notified?	[Yes / No / N/A]
Date (OAIC)
Method (OAIC)
Customers Notified?	[Yes / No / N/A]
Date (Customers)
# of Customers
Method (Customers)
REMEDIATION
Immediate Actions
Long-Term Preventive Measures
Protocol Updates Required?
POST-INCIDENT REVIEW
Review Date
Key Learnings
Action Items

APPENDIX B: Media Holding Statement Template

FOR IMMEDIATE USE - APPROVED MEDIA STATEMENT

Subject: Lucrii Data Security Incident

Lucrii Pty Ltd has identified a data security incident affecting our platform. We detected the incident on [date] and immediately took action to secure our systems and protect customer data.

We are conducting a thorough investigation with the assistance of external cyber security experts. We have notified affected customers and the Office of the Australian Information Commissioner in accordance with our legal obligations under the Notifiable Data Breaches scheme.

Protecting customer data is our highest priority. We are implementing additional security measures and will continue to keep affected customers informed throughout this process.

Customers with questions should contact support@lucrii.io.

We will provide further updates as our investigation progresses.

Contact:
Anthony Di Carlo
Co-founder & CEO
Lucrii Pty Ltd

Braiden Stiller
Co-founder & CTO
Lucrii Pty Ltd

Company Details:
Lucrii Pty Ltd
ABN 46 694 710 211 / ACN 694 710 211
PO Box 784, New Farm, QLD 4005
https://lucrii.io/