Back to OAIC artefacts | Back to Simulation Dashboard
OAIC Correspondence – Request for Clarification
Fictional teaching artefact for The LotusCare Breach simulation. Models regulator tone and evidence-based assessment. Not legal advice.
Document type: Letter (simulation) Topic: Exfiltration claim assessment Date: 2026-03-20

Request for clarification: assessment of exfiltration claims

Context: Threat actors commonly claim data exfiltration during ransomware incidents. Regulators expect organisations to assess these claims using available evidence and to document the basis for notification decisions.
Office of the Australian Information Commissioner GPO Box 5218, Sydney NSW 2001 (For simulation purposes only) 20 March 2026 To: Privacy Officer, LotusCare Services (Simulation) Subject: LotusCare incident – request for clarification on assessment of possible personal information disclosure The OAIC acknowledges receipt of your preliminary notification regarding the cybersecurity incident affecting LotusCare Services. Public claims have been made that information was “exfiltrated” from LotusCare systems. The OAIC notes that such claims may be unverified at the time they are made and that an absence of confirmation does not, by itself, resolve the question of whether an eligible data breach has occurred. To support our understanding of your current assessment, please provide the following information: 1. Assessment steps - The steps taken to assess whether personal information was accessed or exfiltrated. - The internal roles involved (for example, incident response lead, legal, privacy officer). 2. Evidence considered - The evidence available at this time (for example, system logs, DLP alerts, EDR telemetry, unusual outbound traffic, privileged account activity). - Any constraints that limit evidence collection (for example, encrypted channels, destroyed logs, incomplete visibility). 3. Threat actor materials - Any “proof” files or sample records provided by the threat actor and your assessment of their authenticity. - Any indicators that material may be recycled or unrelated to LotusCare. 4. Notification planning - Your current view on whether an eligible data breach may have occurred, including the basis for that view. - Your intended notification approach if personal information is confirmed, including expected timing. The OAIC notes that organisations are expected to progress their assessment promptly and to keep adequate records of the basis for decisions made under the Notifiable Data Breaches scheme. Please respond within 5 business days, noting that the OAIC recognises assessments may be ongoing and may need to be updated as new information emerges. Yours sincerely, Director, Investigations (Simulation) Office of the Australian Information Commissioner
Simulation note: This artefact reinforces that “threat actor claims” and “confirmed disclosure” are not the same thing. Students should treat exfiltration as uncertain until assessed and documented.