Last week, the NSW Reconstruction Authority (RA) revealed it had a data breach in relation to the Northern Rivers Resilient Homes Program (RHP) when a former temporary employee uploaded data containing personal information to ChatGPT between 12 and 15 March 2025. This was not authorised by the RA.

After working closely with Cyber Security NSW and engaging with forensic analysts, who undertook an investigation to understand the size and scale of the breach and the risks arising from it, the RA has confirmed that 2031 people had some information uploaded.

The information disclosed includes general case information as well as:

• Name and contact details
• Residential/mailing address
• Date of birth
• Personal information
• Sensitive health information
• Limited financial commentary, but not banking or financial details

At this stage, the RA has said there is no evidence that any of the uploaded data has been accessed by a third party and that it is now not publicly available online.

An RA spokesperson said, "Importantly, we can confirm that no driver's licence numbers, Medicare numbers, passport numbers, or Tax File Numbers were disclosed in the breach."

When asked if there is now a much lower risk that the personal data is shared from this point on, the RA's local Executive Director, Kristie Clarke, told the Lismore App, "I'm taking the advice of Cyber Security NSW.

"They have been monitoring the internet and Dark Web for some months, and they will continue that monitoring for the foreseeable future. I think that it is low risk that information that has been shared as part of this data breach would now be publicly available."

In a statement released yesterday, the RA has warned people to regularly check credit card and bank statements for unusual transactions. Why have the RA made that warning if no bank account details, driver's license numbers, passport numbers or tax file numbers were shared?

"It's just a precautionary measure, to be honest," Mrs Clarke explained. "In the instance that information did become publicly available, I think it's good practice. We've been working closely with Cyber Security NSW, and they have provided the advice that people should always be vigilant with their personal data.

"It's been well reported of a number of organisations recently who have had data breaches and information that has then been shared on the internet or to hackers in some instances. And I think our breach is much more contained, appears to be much lower risk."

The RA said above that sensitive health information and limited financial commentary were uploaded. What sort of information does that involve?

"As part of that Excel file that was uploaded to ChatGPT, it had 10,000 line items that generally included case notes or specific information about an applicant's name, contact details, and address, so in terms of medical information, we have a provision in the program to consider applications on the basis of individual and exceptional circumstances. Medical information that could have been shared as part of this data breach is generally related to case notes of details of historical medical conditions, disabilities, etc, that may have been provided in support of an applicant's application."

Mrs Clarke said that since 1pm yesterday, RA staff have been calling the small number of people involved.

"It is a small number of the 2,000 that we are making those proactive calls. At this point, I haven't received an update. We have had some email notifications that have been issued, and I think there's been one telephone inquiry, but I'll have an update in terms of the questions and the sentiment of those in that more vulnerable cohort that have been contacted later this afternoon."

Going forward, what has the RA put in place so that there is no further data breach?

"Immediately, we implemented controls to the Resilient Homes Program, such as using a Salesforce system to prevent staff from being able to download information from the system of this nature, to prevent that from happening again. We've also implemented controls to other systems, as well as undertaken additional staff training, and introduced measures to prevent personal information from being uploaded to external AI platforms.

"We've taken the breach really seriously. We've prioritised trying to get to the community as quickly as possible, once we understood the impact and scale and personal impacts for people across the community. I think the measures that we've implemented should give people confidence, but I can appreciate that trust may have been eroded from the RA."

Mrs Clarke stressed that if there are people who have questions about whether they're impacted or not, they should contact the RA call centre that has been established in direct response to the data breach, and the number is (02) 9212 9212.

What support is available?

The RA is working with Social Futures to reach out to people who have been impacted and ID Support NSW, a government identity and cyber security support service, to assist anyone whose data may have been compromised.  

ID Support NSW can help by providing personalised advice on how to protect or restore identity security and share options for additional support and counselling services.

To access this free support, people should: 

• Call ID Support on 1800 001 040 and provide the reference number included in their notification from us. The ID Support team is available Monday to Friday from 9am to 5pm, excluding public holidays. Interpreter services are available.
• Go online to https://portal.idsupport.nsw.gov.au/s/ to access the breach portal. Enter the reference number to enter the portal.

What should people do?

The RA said:

• If anyone impacted wants to discuss the exact types of their personal information that were involved in the data breach, they can contact RA on (02) 9212 9212. Staff are available Monday to Friday from 9am to 5pm, excluding public holidays. 
• We encourage anyone impacted to regularly check credit card and bank statements for unusual transactions. Anyone impacted can ask for a temporary ban on cards or accounts if they detect unusual activity and suspect fraud. Anyone impacted can cancel or suspend the card and request a new card if there are unauthorised transactions or transfers.
• We are also encouraging everyone to remain vigilant of scammers and to remain alert, especially with email, text messages or telephone calls and to use two-step authentication for personal email accounts and other online accounts.
• We are asking people not to share personal information over the phone unless they are certain about who they are sharing it with. And if they notice suspicious access to email accounts and other online accounts, they should reset passwords for their accounts.  
• We will continue to share updates and provide support to those who have been impacted.
• We understand the seriousness of this breach and are deeply sorry for the potential impact on people whose personal and sensitive information has been disclosed.
• We remain fully committed to protecting their privacy and restoring trust in the Resilient Homes Program and the NSW Reconstruction Authority. 

For more information, visit nsw.gov.au/RHPdatabreach.