The NSW Reconstruction Authority (RA) is a government organisation that has had its fair share of controversy over the last three and a half years.

The RA has some good people who have done some excellent work for our community since the 2022 floods. However, there have been situations that have not pleased the community, such as the $1.5 billion funding fiasco in its first incarnation as the Northern Rivers Reconstruction Corporation, and the lack of action in the Resilient Lands Program under the NSWRA.

Now, the NSWRA has put its hand up for a data breach involving personal information belonging to some people who applied for the Northern Rivers Resilient Homes Program (RHP).

A spokesman for the NSW Reconstruction Authority said the breach occurred when a former contractor of the RA uploaded data containing personal information to an unsecured AI tool, which was not authorised by the department.

"There is no evidence that any information has been made public; however, this cannot be ruled out, and a thorough investigation is underway by Cyber Security NSW.

"We understand this news is concerning, and we are deeply sorry for the distress it may cause for those who have engaged with the program.

"We will be contacting people this week with updates to let them know what has happened and whether they have been impacted or not.

"Since learning about the extent of this breach, we have engaged forensic analysts and are working closely with Cyber Security NSW to undertake an investigation to understand the scope and the risks arising from it.

"We expect the forensic analysis to be completed within the coming days. This will give us a clearer understanding of the extent of the breach and the specific data involved.

"We know people will want to know exactly what has been shared, and we are doing all we can to get that information to them as soon as possible.

"So far, there is no evidence that any of the uploaded data has been accessed by a third party."

What happened?

The NSWRA spokesperson said that between 12 and 15 March 2025, personal information was uploaded by a former contractor of the RA to the Artificial Intelligence platform ChatGPT.

"Once we understood the full scope of the breach, we took steps to contain any further risks. We began working closely with Cyber Security NSW and engaged forensic analysts. We are undertaking detailed investigations to understand what was shared, what the risks are and who from the program is impacted.  

"The data shared was a Microsoft Excel spreadsheet with 10 columns and more than 12,000 rows of information. All of it must be thoroughly reviewed to understand what may have been compromised.

"The process is highly complex and time-consuming, and we acknowledge that it has taken time to notify people. Our focus has been on making sure we have all the information we need to notify every impacted person correctly.

"We understand that people will have questions about how this could have happened and why it has taken time to notify impacted people. We have initiated an independent review of how this breach was identified and managed and will share those findings once it is completed." 

What we know 

Through early external forensic analysis, it has been confirmed that up to 3000 individuals may be impacted by the breach.

At this stage, the information disclosed may include: 

• names and addresses
• email addresses
• phone numbers
• other personal and health information.

What is the NSWRA doing

"With the assistance of ID Support NSW, we will be contacting people within the next week to confirm what information has been affected and to offer personalised support. We are working with Cyber Security NSW to monitor the internet and dark web to see if any of the information is accessible online. The NSW Privacy Commissioner has also been notified.

"We have reviewed and strengthened internal systems and processes and issued clear guidance to staff on the use of non-sanctioned AI platforms. Safeguards are now in place to prevent future incidents."

What support is available? 

"We encourage anyone who is concerned to contact the RHP call centre on 1800 844 085, between 9am to 5pm, Monday to Friday.

"ID Support NSW is also available to help. This government agency provides expert advice, free resources and personalised support for people affected by data breaches. You can visit their website at www.nsw.gov.au/id-support-nsw or call them on 1800 001 040, Monday to Friday, 9am–5pm. Interpreter services are available.

"ID Support NSW can help by:

• providing advice on compromised identification documents and how to restore your identity security
• guiding you on how to keep your personal identity information safe
• sharing options for additional support and counselling services.

"The NSW Reconstruction Authority will provide compensation for any reasonable out-of-pocket expenses if any compromised identity documents need to be replaced.

"We will continue to share updates and provide support to those who have been impacted.

"We understand the seriousness of this breach and are deeply sorry for the potential impact on people whose personal and sensitive information has been disclosed.

"We remain fully committed to protecting their privacy and restoring trust in the Resilient Homes Program and the NSW Reconstruction Authority."

When the forensic analysis results are concluded this week, the Lismore App will publish its findings.