THE NSW Reconstruction Authority (RA) is aware of a data breach involving personal information belonging to some people who applied for the Northern Rivers Resilient Homes Program (RHP).
The breach occurred when a former contractor of the RA uploaded data containing personal information to an unsecured AI tool which was not authorised by the department.
There is no evidence that any information has been made public, however this cannot be ruled out and a thorough investigation is underway by Cyber Security NSW.
We understand this news is concerning and we are deeply sorry for the distress it may cause for those who have engaged with the program.
We will be contacting people this week with updates to let them know what has happened and whether they have been impacted or not.
Since learning about the extent of this breach, we have engaged forensic analysts and are working closely with Cyber Security NSW to undertake an investigation to understand the scope and the risks arising from it.
We expect the forensic analysis to be completed within a week. This will give us a clearer understanding of the extent of the breach and the specific data involved.
We know people will want to know exactly what has been shared and we are doing all we can to get that information to them as soon as possible.
So far, there is no evidence that any of
the uploaded data has been accessed by a third party.
What happened?
Between 12 and 15 March 2025, personal information was uploaded by a former contractor of the RA to the Artificial Intelligence platform ChatGPT.
Once we understood the full scope of the breach, we took steps to contain any further risks. We began working closely with Cyber Security NSW and engaged forensic analysts. We are undertaking detailed investigations to understand what was shared, what the risks are and who from the program is impacted.
The data shared was a Microsoft Excel spreadsheet with 10 columns and more than 12,000 rows of information. All of it must be thoroughly reviewed to understand what may have been compromised.
The process is highly complex and time consuming and we acknowledge that it has taken time to notify people. Our focus has been on making sure we have all the information we need to notify every impacted person correctly.
We understand that people will have questions about how this could have happened and why it has taken time to notify impacted people. We have initiated an independent review of how this breach was identified and managed and will share those findings once it is completed.
What we know
At this stage, the information disclosed may include:
- names and addresses
- email addresses
- phone numbers
- other personal and health information.
What we are doing
With the assistance of ID Support NSW, we will be contacting people within the next week to confirm what information has been affected and to offer personalised support. We are working with Cyber Security NSW to monitor the internet and dark web to see if any of the information is accessible online. The NSW Privacy Commissioner has also been notified.
We have reviewed and strengthened internal systems and processes and issued clear guidance to staff on the use of non-sanctioned AI platforms. Safeguards are now in place to prevent future incidents.
What support is available?
We encourage anyone who is concerned to contact the RHP hotline on 1800 844 085, between 9am to 5pm, Monday to Friday.
ID Support NSW is also available to help. This government agency provides expert advice, free resources and personalised support for people affected by data breaches. You can visit their website at www.nsw.gov.au/id-support-nsw or call them on 1800 001 040, Monday to Friday, 9am–5pm. Interpreter services are available.
ID Support NSW can help by:
- providing advice on compromised identification documents and how to restore your identity security
- guiding you on how to keep your personal identity information safe
- sharing options for additional support and counselling services.
The NSW Reconstruction Authority will provide compensation for any reasonable out of pocket expenses if any compromised identity documents need to be replaced.
We will continue to share updates and provide support to those who have been impacted.
We understand the seriousness of this breach and are deeply sorry for the potential impact on people whose personal and sensitive information has been disclosed.
We remain fully committed to protecting their privacy and restoring trust in the Resilient Homes Program and the NSW Reconstruction Authority.
For more information, visit www.nsw.gov.au/RHPdatabreach
Minister for Recovery, Janelle Saffin said:
“I am sorry this has occurred. I would like to reassure the community that the government treats their personal information with care and consideration.
I was advised of a privacy breach on 7 July, including subsequent action that would be taken by the NSW Reconstruction Authority and Cyber Security NSW and noting the contractor involved in the breach no longer works at the agency.
A critical concern for me, as Minister, is that the Reconstruction Authority takes all necessary and diligent steps to protect the personal information of the community.
Where there are any identified shortcomings, it is my expectation that the Authority takes all necessary steps to rectify and remediate their processes, including in the timeliness of responses.
I have asked the NSW Reconstruction Authority to secure the services of a data breach and privacy expert to do a review.
I have asked the NSW Reconstruction Authority to secure specialised local services to support the impacted communities and encourage them to reach out for that support.”
