The New South Wales Reconstruction Authority (RA) confirmed that the personal data of 2,031 individuals associated with the Northern Rivers Resilient Homes Program (RHP) was exposed after a former temporary employee uploaded a government spreadsheet to an unauthorized artificial intelligence platform. The breach, which took place between March 12 and 15, 2025, affected flood-impacted homeowners utilizing the program to rebuild or relocate.
The dataset comprised over 12,000 rows and included names, contact details, addresses, dates of birth, and certain health and sensitive profile data. The RA asserted that more highly sensitive identifiers such as driver’s license numbers, Medicare details, passport records and tax file numbers were not part of the exposed file.
The RA said it is coordinating a full forensic review with Cyber Security NSW and has initiated an independent investigation into how the incident occurred. The organization is contacting all affected individuals and offering support services, including ID protection and counseling.
“We understand this news is concerning and we are deeply sorry for the distress it may cause.” — NSW Reconstruction Authority
Internal Upload to AI Platform Allowed Unauthorized Access but No Evidence Yet of Data Publication
According to public statements from the RA, the breach was traced to a former temporary staff member who used a non-sanctioned AI tool to upload the program’s internal spreadsheet. The file in question was reportedly used in RHP assessments and contained personal and some health-related metadata. After discovering the improper upload, the RA immediately suspended external access, engaged forensic specialists, and began outreach to individuals whose data may have been compromised.
Despite the exposure, the RA stated that it has not found any indication that the data was accessed by third parties or posted publicly. Paths for further leak remain under investigation. The Reconstruction Authority also secured a court injunction from the New South Wales Supreme Court, forbidding unauthorized parties from accessing, viewing or publishing the stolen data if it does appear online.
The agency highlighted that the breach was limited to certain participant records and did not compromise broader RHP systems or underlying databases. It said disruption to the homes program itself has been minimal and that staff protocols around use of AI tools and data handling have already been tightened.
Support Programs, Legal Oversight and Notifiable Data Breach Reporting Requirements
Affected residents will be contacted directly by RA, and the agency is offering assistance through ID Support NSW—a service providing free advisory consultation, counseling and fraud-prevention guidance. RA expects to fully cooperate with the Office of the New South Wales Privacy Commissioner, which has been notified of the incident, and with Social Futures, which is assisting with community outreach and compliance.
In response to the breach, the Reconstruction Authority said it is conducting a review of internal systems, staff processes and approval workflows to prevent recurrence. It also committed to enhancing security controls for AI usage, data upload pathways, and vendor reviews. The independent review will assess how the breach was first detected, whether server logs or access records flagged anomalies, and whether any existing alerts or intrusion detection mechanisms were insufficient.
Privacy laws in New South Wales require that the RA demonstrate that it took reasonable precautions to prevent unauthorized disclosure and that it can articulate its decision-making around redacting or omitting sensitive identifiers. Legal scrutiny may focus on whether design and staff training fell short of expected standards for handling participant data in a disaster recovery program.
Broader Implications for Disaster Recovery Programs Using Sensitive Personal Data
The RHP breach underscores the heightened risks when social service or disaster-mitigation programs handle sensitive data, particularly in jurisdictions recovering from catastrophic events. Such programs often require detailed personal, contact, financial and health information to assess eligibility and deliver support. The addition of health or sensitive attributes compounds the severity when such data is mishandled.
Security experts note that the use of generative AI tools without clear governance significantly expands the attack surface. Employees or contractors uploading spreadsheets, particularly containing personal data, to AI platforms can inadvertently expose that information to risk. The RA’s decision to revisit AI use policies and workflow approvals is being held up as an essential corrective step.
Additionally, the breach raises questions for other jurisdictions offering government-funded rebuild or temporary housing support using digital systems. Oversight bodies may demand stricter auditing, endpoint protections, watermarking of documents, and proscriptions against uploading data to third-party AI or external tool services without encryption or review.
The RHP data breach may also draw scrutiny from federal-level regulators and privacy advocacy groups, especially as usage of AI-assisted processing grows across public-sector programs. Citizens may demand clearer accountability, stronger legislative controls over personal data use, and better transparency when government agencies rely on temporary staff or external workflows involving AI.
For now, RA is focused on restoring trust, conducting its independent review and delivering outcomes for individuals whose personal details were exposed. The agency emphasized it remains committed to privacy safeguards and to ensuring the Resilient Homes Program continues to serve flood-affected communities with integrity.
