.png)
1 month ago
3
The NSW Reconstruction Authority (RA) is aware of a data breach involving personal information belonging to some people who applied for the Northern Rivers Resilient Homes Program (RHP).
The breach occurred when a former contractor of the RA uploaded data containing personal information to an unsecured AI tool which was not authorised by the department.
There is no evidence that any information has been made public, however, Cyber Security NSW will continue to monitor the internet and the dark web to see if any of the information is accessible online.
We understand this news is concerning and we are deeply sorry for the distress it may cause for those who have engaged with the program.
We will be contacting people in the coming days with updates to let them know what has happened and whether they have been impacted or not.
Since learning about the extent of this breach, we have engaged forensic analysts and are working closely with Cyber Security NSW to understand the scope and the risks arising from it.
We expect the forensic analysis to be completed within the coming days. This will give us a clearer understanding of the extent of the breach and the specific data involved.
We know people will want to know exactly what has been shared and we are doing all we can to get that information to them as soon as possible.
So far, there is no evidence that any of the uploaded data has been accessed by a third party.
What happened?
Between 12 and 15 March 2025, personal information held for the Resilient Homes Program (RHP) was uploaded to the AI platform ChatGPT by a former RA contractor.
Once we understood the full scope of the breach, we took immediate steps to contain any further risk. We engaged forensic analysts, began working closely with Cyber Security NSW and commenced inquiries to determine what was shared, what risks may exist, and who was affected.
The data involved was a Microsoft Excel spreadsheet containing 10 columns and over 12,000 rows of information. Every row is being carefully reviewed to understand what information may have been compromised.
This process has been complex and time-consuming and we acknowledge that it has taken time to notify people. Our focus has been on ensuring we had the right information to contact every impacted person accurately and completely.
We understand people will have questions about how this happened and why notification has taken time. To help answer those questions, we’ve initiated an independent review.
What we know
Based on early forensic analysis, up to 3,000 people may be potentially impacted.
At this stage, the information we know that has been disclosed includes:
- Names and addresses
- Email addresses
- Phone numbers
- Some personal and health information
What we are doing
Within a week, we will contact anyone impacted to confirm exactly what data was shared and offer personalised support.
We're working with Cyber Security NSW to monitor the internet and dark web for any signs that this information is accessible online. Continuous monitoring of the dark web and broader internet is ongoing and to date, there is no evidence that any uploaded data has been accessed or distributed by a third party.
The NSW Privacy Commissioner has been notified and we’ve reviewed and strengthened our internal systems and processes and issued clear guidance to staff on the use of unauthorised AI platforms, like ChatGPT. Safeguards are now in place to prevent similar incidents in future.
What support is available?
To speak to someone on the phone about what has happened please call the RHP call centre on 1800 844 085 Monday to Friday, 9am-5pm (excluding public holidays).
RA will provide compensation for any reasonable out of pocket expenses if any compromised identity documents need to be replaced.
If you have any concerns about protecting your identity, NSW government agency ID Support can help prevent and recover from data breaches with expert advice, free resources and support. You can reach them via their website www.nsw.gov.au/id-support-nsw or call them on 1800 001 040, Monday to Friday, 9am-5pm (excluding public holidays). Interpreter services are available.
ID Support NSW can help by
- providing advice on compromised identification documents and how to restore your identity security
- guiding you on how to keep your personal identity information safe
- sharing options for additional support and counselling services.
We will continue to share updates and provide support to those who have been impacted.
We understand the seriousness of this breach and are deeply sorry for the potential impact on people. We remain fully committed to protecting their privacy and restoring trust in the Resilient Homes Program and the RA.
Frequently asked questions
What happened?
Personal information provided during applications for the RHP was uploaded by a former contractor of the RA to the Artificial Intelligence (AI) platform, ChatGPT.
The data shared was contained in a Microsoft Excel spreadsheet with 10 columns and more than 12,000 rows of information.
When did the breach occur?
The upload took place between 12 and 15 March 2025.
How many people were affected?
Our early analysis indicates that up to 3,000 people may be affected.
Was this a cyber-attack or hacking incident?
No.
This incident occurred when an RA contractor uploaded information from a Microsoft Excel spreadsheet to an unauthorised third-party AI platform, ChatGPT.
Our internal security systems remain secure and have not been compromised.
What is ChatGPT?
ChatGPT is an online AI tool developed by a company called OpenAI. It allows users to ask questions or upload information to help generate written content or ideas.
What personal information was included in the uploaded file?
We're working through the forensic analysis and expect that to be completed within the coming days. At this stage we can confirm the following information has been disclosed:
- names and addresses
- email addresses
- phone numbers
- some personal and health information
Was my financial or banking information uploaded?
We expect to have a complete understanding of the information uploaded within the coming days. As soon as we know, we will contact you with the types of information potentially exposed.
Was any government ID or sensitive information included?
We expect to have a complete understanding of the information uploaded within the coming days. As soon as we know, we will contact you with the types of information potentially exposed.
What have you done to fix the issue?
We are working with Cyber Security NSW to monitor the internet and dark web to see if any of this information is accessible online. The NSW Privacy Commissioner has also been notified.
We have reviewed and strengthened internal systems and processes and issued clear guidance to staff on the use of non-sanctioned AI platforms. Safeguards are now in place to prevent future uploads of personal information into ChatGPT and other AI platforms.
Have you reported the breach?
Yes, in line with the Privacy and Personal Information Protection Act 1998, the breach was reported to the NSW Privacy Commissioner.
What steps have been taken to ensure this doesn’t happen again?
We’ve conducted a full cyber security review and engaged technical and legal specialists. The RA has also implemented controls to block the upload of personal information into AI tools.
We will continue to update mandatory cyber security training and provide regular communication to ensure every employee is aware of their data obligations.
The RA will continue to review and implement any additional measures that may be needed to better protect the data that we hold.
We have also initiated an independent review of how this breach was identified and managed and will share those findings once it is completed.
What does the breach mean for me?
We believe the risk of misuse is low, however, we recommend staying alert for any suspicious emails or messages that ask for your personal details.
What can I do to protect myself?
- be cautious of emails that look unusual or unexpected
- avoid clicking on links or opening attachments from unknown senders
- contact us if you receive any communication that references your participation in the RHP that is not from the RA.
Will I be contacted directly?
Everyone who registered for the Resilient Homes Program will receive an email.
The email will be sent by the NSW Reconstruction Authority with the subject line: RHP Data Breach. The messages will begin going out in the coming days.
Please check your spam or junk folder if you don’t see it in your inbox.
What support are you offering?
To speak to someone on the phone about what has happened please call the RHP call centre on 1800 844 085, Monday to Friday, 9am-5pm (excluding public holidays).
RA will provide compensation for any reasonable out of pocket expenses if any compromised identity documents need to be replaced.
If you have any concerns about protecting your identity, ID Support NSW can provide advice and assistance via their website www.nsw.gov.au/id-support-nsw or call them on 1800 001 040, Monday to Friday, 9am-5pm (excluding public holidays). Interpreter services are available.
Where can I find more information?
This website will include the most up to date information. You can also contact the RA on 1800 844 085.
