Thousands of homeowners impacted by the Northern Rivers floods have had their personal details exposed after a contractor for the New South Wales (NSW) Reconstruction Authority uploaded sensitive data to ChatGPT, which is not authorised for government use.
The incident took place between March 12 and 15, when a Microsoft Excel spreadsheet containing more than 12,000 data entries from the Northern Rivers Resilient Homes Program was uploaded online.
The file included names, addresses, emails, phone numbers and, in some instances, health and other personal information linked to as many as 3,000 applicants.
The Reconstruction Authority said the upload was carried out by a former contractor who had access to information from residents seeking assistance under the government’s flood recovery program.
The Resilient Homes initiative forms part of the state’s broader effort to support communities in Lismore and across the Northern Rivers as they rebuild following the devastating 2022 floods.
Officials said there was no sign so far that the information had been accessed or shared publicly, though that possibility could not yet be ruled out.
Cyber Security NSW is overseeing a detailed investigation, supported by forensic specialists, to determine the severity of the incident and whether any third party gained access to the data.
The Northern Rivers buyback program was introduced after the devastating 2022 floods in Lismore and nearby towns.
Since then, the NSW government has bought back more than 800 homes, including over 500 in Lismore. Around 80 properties have been relocated and about 150 demolished as part of efforts to move residents out of high-risk flood zones.
Investigation Underway
The Reconstruction Authority said that after the incident came to light, they immediately took steps to reduce any further risk, engaging external forensic experts and notifying the NSW Privacy Commissioner.
“We understand this news is concerning and we are deeply sorry for the distress it may cause,” the agency said. “Our priority has been ensuring we have all the facts before contacting affected individuals.”
The review has proven complex, as the spreadsheet contains more than 12,000 records across ten columns, each requiring manual verification to determine what data may have been exposed and who was affected. Analysts expect to finalise their findings within days.
After the investigation is complete, the authority will contact those impacted directly. With support from ID Support NSW, affected people will receive details about the incident and advice on steps to protect their identity, including assistance in replacing any compromised identification documents.
