News South Wales Reconstruction Authority suffers significant data breach. Third party use of AI partly to blame

October 6, 2025 |

Artificial Intelligence is the runaway train of administration, the law and most areas which use it. Its capabilities are rarely fully understood, its dangers are not considered and most users have no idea of how it works. If the use of AI causes or contributes to the misuse of personal information the aforementioned ignorance is no excuse for failing to comply with privacy legislation. The New South Wales Reconstruction Authority (the “Authority”) today announced that it has been the subject of a data breach. The data breach occurred from 12 – 15 March 2025 with names, addresses, email addresses, phone numbers and “some personal and health information.”  Names and addresses are personal information.  While the Authority stresses the contractor did not use authorised AI that does not change its liability.  Third party providers are a chronic weak link in any data security network.  They are often used because they are cost effective.  That may mean they are less invested in data security and proper training.  Organisations should include proper cyber security requirements in contracts but also insist on a right to inspect the effectiveness of cyber security.

This episode highlights the need to determine whether the AI used is properly integrated and compatiable with existing systems and whether there are appropriate security measures and there is a proper assessment of risk.

Some of the factors organisations needs to consider are:

  • Security – In this regard an organisation needs to consider the model type.   The starting prefrence shoudl be a “Closed Model”. This is different to an “Open Model” such as standard ChatGPT.   “Closed Models” generally do not allow prompts and results to train the underlying model, and do not retain any data. This deals with unapproved disclosure of confidential or personal information. Such as in this case.  Any AI system should comply with local and international data sovereignty laws. That would mean data remaining within Australian borders. It is critical to know the frequency, and how, the underlying Large Language Model (LLM) is trained and updated. It is critical to ensure that these underlying updates are secure and trustworthy, or otherwise subject to sufficient controls.

  • Quality of data and training – In addition to quality in, quality out for data it is important to have quality training. It is necessary to look at models that have invested in industry-specific pre-training to achieve optimal results. .

  • Quality Assurance – If an organisation uses AI to make decisions it is critical to have quality assurance. That involves using statistical methods, such as precision and recall.  There should be Regular testing and validation.

  • Tracking  – It is important to trace work products and decisions.  That should involve having methods to monitor and document where AI has been involved in the development of work products. That could involve logs of AI interactions or tagging outputs generated by AI systems.

Clearly the Authority will have to review how its third party providers use their AI.  There was a failure to properly monitor and proscribe practices involving the personal information collected by the Authority and used by third parties.

The data breach has been reported by the ABC with NSW flood victims’ personal details loaded to ChatGPT in major data breach.

The media release provides:

The NSW Reconstruction Authority (RA) is aware of a data breach involving personal information belonging to some people who applied for the Northern Rivers Resilient Homes Program (RHP).

The breach occurred when a former contractor of the RA uploaded data containing personal information to an unsecured AI tool which was not authorised by the department.

There is no evidence that any information has been made public, however this cannot be ruled out and a thorough investigation is underway by Cyber Security NSW.

We understand this news is concerning and we are deeply sorry for the distress it may cause for those who have engaged with the program.

We will be contacting people this week with updates to let them know what has happened and whether they have been impacted or not.

Since learning about the extent of this breach, we have engaged forensic analysts and are working closely with Cyber Security NSW to undertake an investigation to understand the scope and the risks arising from it.

We expect the forensic analysis to be completed within the coming days. This will give us a clearer understanding of the extent of the breach and the specific data involved.

We know people will want to know exactly what has been shared and we are doing all we can to get that information to them as soon as possible.

So far, there is no evidence that any of the uploaded data has been accessed by a third party.

What happened?

Between 12 and 15 March 2025, personal information held for the Resilient Homes Program (RHP) was uploaded to the AI platform ChatGPT by a former RA contractor.

Once we understood the full scope of the breach, we took immediate steps to contain any further risk. We engaged forensic analysts, began working closely with Cyber Security NSW and launched a detailed investigation to determine what was shared, what risks may exist, and who was affected.

The data involved was a Microsoft Excel spreadsheet containing 10 columns and over 12,000 rows of information. Every row is being carefully reviewed to understand what information may have been compromised.

This process has been complex and time-consuming and we acknowledge that it has taken time to notify people. Our focus has been on ensuring we had the right information to contact every impacted person accurately and completely.

We understand people will have questions about how this happened and why notification has taken time. To help answer those questions, we’ve initiated an independent review.

What we know

Based on early forensic analysis, up to 3,000 people may be potentially impacted.

At this stage, the information we know that has been disclosed includes:

    • Names and addresses
    • Email addresses
    • Phone numbers
    • Some personal and health information

What we are doing

Within a week, we will contact anyone impacted to confirm exactly what data was shared and offer personalised support.

We’re working with Cyber Security NSW to monitor the internet and dark web for any signs that this information is accessible online. Continuous monitoring of the dark web and broader internet is ongoing and to date, there is no evidence that any uploaded data has been accessed or distributed by a third party.

The NSW Privacy Commissioner has been notified and we’ve reviewed and strengthened our internal systems and processes and issued clear guidance to staff on the use of unauthorised AI platforms, like ChatGPT. Safeguards are now in place to prevent similar incidents in future.

What support is available?

To speak to someone on the phone about what has happened please call the RHP call centre on 1800 844 085 Monday to Friday, 9am-5pm (excluding public holidays).

RA will provide compensation for any reasonable out of pocket expenses if any compromised identity documents need to be replaced.

If you have any concerns about protecting your identity, NSW government agency ID Support can help prevent and recover from data breaches with expert advice, free resources and support. You can reach them via their website www.nsw.gov.au/id-support-nsw or call them on 1800 001 040, Monday to Friday, 9am-5pm (excluding public holidays). Interpreter services are available.

ID Support NSW can help by

    • providing advice on compromised identification documents and how to restore your identity security
    • guiding you on how to keep your personal identity information safe
    • sharing options for additional support and counselling services.

We will continue to share updates and provide support to those who have been impacted.

We understand the seriousness of this breach and are deeply sorry for the potential impact on people. We remain fully committed to protecting their privacy and restoring trust in the Resilient Homes Program and the RA.

The ABC Report provides:

A major data breach has exposed the private information of up to 3,000 northern NSW residents affected by the 2022 floods.

The NSW Reconstruction Authority (RA) said in a statement the breach occurred in March and involved more than 12,000 rows of data in a spreadsheet from the Northern Rivers Resilient Homes Program.

“Personal information was uploaded by a former contractor of the RA to the artificial intelligence platform ChatGPT,” an RA spokesperson said.

The statement said once the full scope of the breach was understood, the RA took steps to contain the risk and began working with Cyber Security NSW and forensic analysts.

“We are undertaking detailed investigations to understand what was shared, what the risks are and who from the program is impacted,” the statement read.

The Northern Rivers Resiliant Homes program assists residents affected by flooding by buying back homes in areas with high flood risk, or making homes more resilient to future floods.

The breach shared the names and addresses of program applicants, as well as email addresses, phone numbers, and other personal and health information.

“There is no evidence that any information has been made public, however this cannot be ruled out,” the statement said.

“The process is highly complex and time-consuming and we acknowledge that it has taken time to notify people. Our focus has been on making sure we have all the information we need to notify every impacted person correctly.”

‘Really sensitive data’

Harper Dalton-Earls’s South Lismore home was bought as part of the Resilient Homes Program after it was flooded in 2022.

Mr Dalton-Earls said he had to supply a “mountain of data” during the application process, and it was not yet clear if that information had been made public.

“I feel concerned — the information with the RA was deeply personal,”

he said.

“There’s just so much information that you need to give as part of that program, which is fair and reasonable to ensure it’s equitable.

“But at the same time, there is some really sensitive data on those systems that could be breached.

“People really gave their whole lives — whether it’s financial records, insurance records, experiences of deeply traumatic times, so all of that would be concerning for everybody … and for the RA, in terms of how they manage this type of security breach moving forward.”

Minister ‘really sorry’

NSW Minister for Recovery and Lismore MP Janelle Saffin said she received a preliminary report about the breach in July, and the final report on Friday.

Ms Saffin said she had asked the RA to review and report on the situation and the department’s processes, including its timeliness.

“I would prefer [for the RA] to advise people sooner, and I’m also informed they couldn’t identify everybody, but I need to see the report first,” she said.

“This is our community, my community, so I’m really sorry.”

Ms Saffin said the situation was “being treated with care and consideration”.

The RA said it would contact people this week with updates about how they had been affected and the support available.

Leave a Reply