Northern Rivers Resilient Homes Program data breach

The breach occurred when a former temporary employee of the RA uploaded data containing personal information to an unsecured Artificial Intelligence (AI) tool which was not authorised by RA.

We understand this news is concerning and we are deeply sorry for the distress it may cause for those involved in the program.

We are contacting people today to confirm whether their information was affected or not and to offer personalised support.

Since learning about the extent of this breach, we worked closely with Cyber Security NSW and engaged forensic analysts to undertake an investigation to understand the scope and the risks arising from it.

There is no evidence that any of the uploaded data is publicly available online or has been accessed by a third party at this stage.

Importantly, we can confirm that no driver's licence numbers, Medicare numbers, passport numbers, or Tax File Numbers were disclosed in the breach.

What we know
Through external forensic analysis, we have confirmed:
• 2031 people who provided personal information in relation to the Northern Rivers Resilient Homes Program (RHP) had some of their information involved in a data breach.

The information disclosed includes general case information as well as:
• Name and contact details
• Residential/mailing address
• Date of birth
• Personal information
• Sensitive health information
• Limited financial commentary, but not banking or financial details

What happened?
Between 12 and 15 March 2025, personal information was uploaded by a former temporary employee of the RA to the AI platform ChatGPT.

Once we understood the full scope of the breach, we took steps to contain any further risks. We began working closely with Cyber Security NSW and engaged forensic analysts. We undertook detailed investigations to understand what was shared, what the risks were and who from the program was impacted.

The data shared was a Microsoft Excel spreadsheet with 10 columns and more than 12,000 rows of information. All of it had to be thoroughly reviewed to understand what may have been compromised.

The process was highly complex and time consuming and we acknowledge that it has taken time to notify people. Our focus has been on making sure we had all the information we needed to notify every impacted person correctly.

We understand that people will have questions about how this could have happened and why it has taken time to notify impacted people. We have initiated an independent review of how this breach was identified and managed and will share those findings once it is completed.

What we are doing
With the assistance of ID Support NSW, we are contacting people today to confirm what information has been affected and to offer personalised support. We are working with Cyber Security NSW to monitor the internet and dark web to see if any of the information is accessible online. This analysis will be ongoing. The NSW Privacy Commissioner has also been notified.

We have reviewed and strengthened internal systems and processes and issued clear guidance to staff on the use of non-sanctioned AI platforms. Additional safeguards are now in place to prevent future incidents.

What support is available?
We are working with Social Futures to reach out to people who have been impacted and ID Support NSW, a government identity and cyber security support service, to assist anyone whose data may have been compromised.

ID Support NSW can help by providing personalised advice on how to protect or restore identity security and share options for additional support and counselling services.

To access this free support, people should:
• Call ID Support on 1800 001 040 and provide the reference number included in their notification from us. The ID Support team is available Monday to Friday from 9am to 5pm, excluding public holidays. Interpreter services are available.
• Go online to https://portal.idsupport.nsw.gov.au/s/ to access the breach portal. Enter the reference number to enter the portal.

What should people do?
• If anyone impacted wants to discuss the exact types of their personal information that were involved in the data breach they can contact RA on (02) 9212 9212. Staff are available Monday to Friday from 9am to 5pm, excluding public holidays.

• We encourage anyone impacted to regularly check credit card and bank statements for unusual transactions. Anyone impacted can ask for a temporary ban on cards or accounts if they detect unusual activity and suspect fraud. Anyone impacted can cancel or suspend the card and request a new card if there are unauthorised transactions or transfers.

• We are also encouraging everyone to remain vigilant of scammers and to remain alert, especially with email, text messages or telephone calls and to use two-step authentication for personal email accounts and other online accounts.

• We are asking people not to share personal information over the phone unless they are certain about who they are sharing it with. And if they notice suspicious access to email accounts and other online accounts, they should reset passwords for their accounts.

We will continue to share updates and provide support to those who have been impacted.

We understand the seriousness of this breach and are deeply sorry for the potential impact on people whose personal and sensitive information has been disclosed.

We remain fully committed to protecting their privacy and restoring trust in the Resilient Homes Program and the NSW Reconstruction Authority.

For more information, visit nsw.gov.au/RHPdatabreach