Some people working for the NSW government apparently need reminding that it’s Cyber Security Awareness Month, with a spokesperson for the NSW Reconstruction Authority saying this morning that the organisation is aware of a data breach involving personal information belonging to some people who applied for the Northern Rivers Resilient Homes Program (RHP).
Apparently the breach occurred when a former contractor of the RA uploaded data containing personal information to an unsecured AI tool which was not authorised by the department.
The NSWRA spokesperson says there is no evidence that any information has been made public, however this cannot be ruled out and a thorough investigation is underway by Cyber Security NSW.
‘We understand this news is concerning and we are deeply sorry for the distress it may cause for those who have engaged with the program,’ said the spokesperson. ‘We will be contacting people this week with updates to let them know what has happened and whether they have been impacted or not.
‘Since learning about the extent of this breach, we have engaged forensic analysts and are working closely with Cyber Security NSW to undertake an investigation to understand the scope and the risks arising from it.
‘We expect the forensic analysis to be completed within the coming days. This will give us a clearer understanding of the extent of the breach and the specific data involved. We know people will want to know exactly what has been shared and we are doing all we can to get that information to them as soon as possible.
‘So far, there is no evidence that any of the uploaded data has been accessed by a third party.’
What happened exactly?
The NSWRA spokesperson says that between 12 and 15 March 2025, personal information was uploaded by a former contractor of the RA to the Artificial Intelligence platform ChatGPT.
‘Once we understood the full scope of the breach, we took steps to contain any further risks. We began working closely with Cyber Security NSW and engaged forensic analysts. We are undertaking detailed investigations to understand what was shared, what the risks are and who from the program is impacted.
‘The data shared was a Microsoft Excel spreadsheet with 10 columns and more than 12,000 rows of information. All of it must be thoroughly reviewed to understand what may have been compromised.
‘The process is highly complex and time consuming and we acknowledge that it has taken time to notify people. Our focus has been on making sure we have all the information we need to notify every impacted person correctly.
‘We understand that people will have questions about how this could have happened and why it has taken time to notify impacted people. We have initiated an independent review of how this breach was identified and managed and will share those findings once it is completed.’
Early external forensic analysis confirms that up to 3000 individuals may be impacted by the breach. At this stage, the information disclosed may include: names and addresses,
email addresses, phone numbers, and other personal and health information.
What next?
The NSWRA spokesperson says, ‘With the assistance of ID Support NSW, we will be contacting people within the next week to confirm what information has been affected and to offer personalised support.
‘We are working with Cyber Security NSW to monitor the internet and dark web to see if any of the information is accessible online. The NSW Privacy Commissioner has also been notified.
‘We have reviewed and strengthened internal systems and processes and issued clear guidance to staff on the use of non-sanctioned AI platforms. Safeguards are now in place to prevent future incidents.
‘We encourage anyone who is concerned to contact the RHP call centre on 1800 844 085, between 9am to 5pm, Monday to Friday.
‘ID Support NSW is also available to help. This government agency provides expert advice, free resources and personalised support for people affected by data breaches. You can visit their website at www.nsw.gov.au/id-support-nsw or call them on 1800 001 040, Monday to Friday, 9am–5pm. Interpreter services are available.’
The NSW Reconstruction Authority says it will provide compensation for any reasonable out of pocket expenses if any compromised identity documents need to be replaced.
‘We will continue to share updates and provide support to those who have been impacted,’ said a spokesperson. ‘We understand the seriousness of this breach and are deeply sorry for the potential impact on people whose personal and sensitive information has been disclosed.
‘We remain fully committed to protecting their privacy and restoring trust in the Resilient Homes Program and the NSW Reconstruction Authority.’
For four decades The Echo has printed the stories some people loved, some people hated, and some pretended not to read. If you want us to keep telling the truth, the real truth, not the sugar-coated version. We’ll need your support to keep the presses rolling. 
