Resilient Homes Program data breach

Last updated:
14 October 2025
On this page

The NSW Reconstruction Authority (RA) can confirm that 2031 people involved in the Northern Rivers Resilient Homes Program (RHP) had some of their personal information involved in a data breach.

The breach occurred when a former temporary staff member of the RA uploaded data containing personal information to an unsecured Artificial Intelligence (AI) tool which was not authorised by RA.

We understand this news is concerning and we are deeply sorry for the distress it may cause for those involved in the program.

We are contacting people to confirm whether their information was affected or not and to offer personalised support.

Since learning about the extent of this breach, we worked closely with Cyber Security NSW and engaged forensic analysts to undertake an investigation to understand the scope and the risks arising from it.

There is no evidence that any of the uploaded data is publicly available online or has been accessed by a third party at this stage. Cyber Security NSW will continue this monitoring.

Importantly, we can confirm that no driver's licence numbers, Medicare numbers, passport numbers, or Tax File Numbers were disclosed in the breach.

What we know

Through external forensic analysis, we have confirmed:

  • 2031 people who provided information to the RA for the RHP had some of their data uploaded to ChatGPT.

The information disclosed includes general case information as well as:

  • Name and contact details
  • Residential/mailing address
  • Date of birth
  • Sensitive personal information
  • Limited financial commentary, but not banking or financial details

What we are doing

With the assistance of ID Support NSW, we are contacting people today to confirm what information has been affected and to offer personalised support. We are working with Cyber Security NSW to monitor the internet and dark web to see if any of the information is accessible online. This analysis will be ongoing. The NSW Privacy Commissioner has also been notified.

We have reviewed and strengthened internal systems and processes and issued clear guidance to staff on the use of non-sanctioned AI platforms. Additional safeguards are now in place to prevent future incidents. 

What support is available?

We are working with Social Futures to reach out to people who have been impacted and ID Support NSW, a government identity and cyber security support service, to assist anyone whose data may have been compromised.   

ID Support NSW can help by providing personalised advice on how to protect or restore identity security and share options for additional support and counselling services.

To access this free support, people should:

  • Call ID Support NSW on 1800 001 040 and provide the reference number included in their notification from us. The ID Support NSW team is available Monday to Friday from 9am to 5pm, excluding public holidays. Interpreter services are available.
  • Go online to https://portal.idsupport.nsw.gov.au/s/ to access the breach portal. Enter the reference number to enter the portal.

What should people do?

  • If anyone impacted wants to discuss the exact types of their personal information that was involved in the data breach they can contact the RA on (02) 9212 9212. Staff are available Monday to Friday from 9am to 5pm, excluding public holidays.
  • We encourage anyone impacted to regularly check credit card and bank statements for unusual transactions. Anyone impacted can ask for a temporary ban on cards or accounts if they detect unusual activity and suspect fraud. Anyone impacted can cancel or suspend the card and request a new card if there are unauthorised transactions or transfers.
  • We are also encouraging everyone to remain vigilant of scammers and to remain alert, especially with email, text messages or telephone calls and to use two-step authentication for personal email accounts and other online accounts.
  • We are asking people not to share personal information over the phone unless they are certain about who they are sharing it with. And if they notice suspicious access to email accounts and other online accounts, they should reset passwords for their accounts.   

Additional support

To speak to someone on the phone about what has happened please contact the RA on (02) 9212 9212, Monday to Friday, 9am-5pm, excluding public holidays.

If you have any concerns about protecting your identity, NSW government agency ID Support NSW can help prevent and recover from data breaches with expert advice, free resources and support. You can reach them via their website www.nsw.gov.au/id-support-nsw or call them on 1800 001 040, Monday to Friday, 9am-5pm. Interpreter services are available.

Frequently asked questions

What happened?

Some personal information provided by people during the RHP applications process was uploaded by a former temporary employee of the RA to the AI platform, ChatGPT.

The data shared was contained in a Microsoft Excel spreadsheet with 10 columns and more than 12,000 rows of information.

When did the breach occur?

The upload took place between 12 and 15 March 2025.

How many people were affected?

2031 people who provided information to the RA for the RHP had some of their data uploaded to ChatGPT.

What information was uploaded?

The information disclosed includes general case information as well as:

  • Name and contact details
  • Residential/mailing address
  • Date of birth
  • Personal information
  • Sensitive health information
  • Limited financial commentary, but not banking or financial details

You will know what information was uploaded in relation to your data if you received a notification letter from ID Support NSW confirming that your data was involved in the breach. You can also contact the RA (02) 9212 9212 if you want more information. Staff are available Monday to Friday from 9am to 5pm, excluding public holidays.

Was this a cyber-attack or hacking incident?

No.

This incident occurred when a former temporary employee uploaded information from a Microsoft Excel spreadsheet to an unauthorised third-party AI platform, ChatGPT.

Our internal security systems remain secure and have not been compromised.

What is ChatGPT?

ChatGPT is an online AI tool developed by a company called OpenAI. It allows users to ask questions or upload information to help generate written content or ideas.

What have you done to fix the issue?

We are working with Cyber Security NSW to monitor the internet and dark web to see if any of this information is accessible online. The NSW Privacy Commissioner has also been notified.

We have reviewed and strengthened internal systems and processes and issued clear guidance to staff on the use of non-sanctioned AI platforms. Safeguards are now in place to prevent future uploads of personal information into ChatGPT and other AI platforms. 

Have you reported the breach?

Yes, in line with the Privacy and Personal Information Protection Act 1998, the breach was reported to the NSW Privacy Commissioner.

What steps have been taken to ensure this doesn’t happen again?

We’ve conducted a full cyber security review and engaged technical and legal specialists. The RA has also implemented controls to block the upload of personal information into AI tools.

We will continue to update mandatory cyber security training and provide regular communication to ensure every employee and contractor is aware of their data obligations.

The RA will continue to review and implement any additional measures that may be needed to better protect the data that we hold.

We have also initiated an independent review of how this breach was identified and managed and will share those findings once it is completed.

What does the breach mean for me?

We believe the risk of misuse is low, however, we recommend staying alert for any suspicious emails or messages that ask for your personal details. 

What can I do to protect myself?
  • We encourage anyone impacted to regularly check credit card and bank statements for unusual transactions. Anyone impacted can ask for a temporary ban on cards or accounts if they detect unusual activity and suspect fraud. Anyone impacted can cancel or suspend the card and request a new card if there are unauthorised transactions or transfers.
  • We are also encouraging everyone to remain vigilant of scammers and to remain alert, especially with email, text messages or telephone calls and to use two-step authentication for personal email accounts and other online accounts.
  • We are asking people not to share personal information over the phone unless they are certain about who they are sharing it with. And if they notice suspicious access to email accounts and other online accounts, they should reset passwords for their accounts.   
Will I be contacted directly?

Everyone who has engaged with the RHP will receive an email. ID Support will also send notifications to everyone whose personal information was affected.

Please check your spam or junk folder if you don’t see it in your inbox.

What support are you offering?

We are working with ID Support NSW, a government identity and cyber security support service, to assist anyone whose data may have been compromised.   

ID Support NSW can help by providing personalised advice on how to protect or restore identity security and share options for additional support and counselling services.

To access this free support, people should:

  • Call ID Support NSW on 1800 001 040 and provide the reference number included in their notification from us. The ID Support NSW team is available Monday to Friday from 9am to 5pm, excluding public holidays. Interpreter services are available.
  • Go online to https://portal.idsupport.nsw.gov.au/s/ to access the breach portal. Enter the reference number to enter the portal.
Where can I find more information?

This website will include the most up to date information. You can also contact the RA on (02) 9212 9212, Monday to Friday from 9am to 5pm, excluding public holidays.

Download as PDF Print this page
Top of page