A major data breach at the NSW Reconstruction Authority (RA) exposed the private information of up to 3,000 northern NSW residents affected by the 2022 floods. The breach occurred in March 2024 when a former contractor uploaded a spreadsheet containing over 12,000 rows of data from the Northern Rivers Resilient Homes Program to ChatGPT. The leaked data included names, addresses, email addresses, phone numbers, and sensitive personal and health information of program applicants individuals seeking home buybacks or flood-resilience upgrades.While there is no confirmed public exposure of the data, the RA acknowledged the risk could not be ruled out. The authority delayed notifications due to the complexity of identifying all affected individuals and verifying the scope of the breach. Investigations involved Cyber Security NSW and forensic analysts, with the NSW Minister for Recovery expressing regret over the incident. The RA began contacting impacted residents in the week following the disclosure, offering support but facing criticism for the delayed response and potential reputational harm to the affected community.
TPRM report: https://www.rankiteo.com/company/nswreconauth
"id": "nsw0902109100625",
"linkid": "nswreconauth",
"type": "Breach",
"date": "6/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'up to 3,000 residents',
'industry': 'disaster recovery and resilience',
'location': 'New South Wales, Australia',
'name': 'NSW Reconstruction Authority (RA)',
'type': 'government agency'},
{'customers_affected': 'up to 3,000 applicants',
'industry': 'flood recovery and resilience',
'location': 'Northern Rivers region, NSW, Australia',
'name': 'Northern Rivers Resilient Homes Program',
'type': 'government program'}],
'attack_vector': ['human error',
'improper data handling',
'AI platform misuse (ChatGPT)'],
'customer_advisories': ['direct notifications to impacted residents with '
'support information'],
'data_breach': {'data_exfiltration': ['uploaded to ChatGPT (unauthorized '
'external platform)'],
'file_types_exposed': ['spreadsheet'],
'number_of_records_exposed': '12,000+ rows (up to 3,000 '
'individuals)',
'personally_identifiable_information': ['names',
'addresses',
'email addresses',
'phone numbers',
'health information'],
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['personal identifiable '
'information (PII)',
'health information',
'contact details',
'program application data']},
'date_detected': '2024-03',
'date_publicly_disclosed': '2024-08',
'description': 'A major data breach at the NSW Reconstruction Authority (RA) '
'exposed the private information of up to 3,000 northern NSW '
'residents affected by the 2022 floods. The breach occurred in '
'March 2024 when a former contractor uploaded a spreadsheet '
'containing over 12,000 rows of data from the Northern Rivers '
'Resilient Homes Program to the AI platform ChatGPT. The '
'exposed data included names, addresses, email addresses, '
'phone numbers, and other personal and health information of '
'program applicants. The RA is investigating the incident with '
'Cyber Security NSW and forensic analysts, though there is no '
'evidence the data has been publicly disclosed. Notifications '
'to affected individuals began in late 2024, with the NSW '
'Minister for Recovery expressing regret over the delay.',
'impact': {'brand_reputation_impact': ['loss of trust in NSW Reconstruction '
'Authority',
'public apology by NSW Minister for '
'Recovery'],
'data_compromised': ['names',
'addresses',
'email addresses',
'phone numbers',
'personal information',
'health information'],
'identity_theft_risk': ['high (personal and health data exposed)'],
'legal_liabilities': ['potential regulatory scrutiny',
'review of data handling practices'],
'operational_impact': ['investigation and containment efforts',
'delayed notifications to affected '
'individuals',
'review of departmental processes'],
'systems_affected': ['ChatGPT (AI platform)',
'Northern Rivers Resilient Homes Program '
'database']},
'investigation_status': 'ongoing (detailed investigations by RA, Cyber '
'Security NSW, and forensic analysts)',
'lessons_learned': ['importance of contractor oversight',
'risks of uploading sensitive data to AI platforms',
'need for timely incident notification',
'enhanced data access controls'],
'motivation': ['unintentional', 'negligence'],
'post_incident_analysis': {'corrective_actions': ['process review by RA',
'enhanced contractor '
'agreements',
'improved data protection '
'measures'],
'root_causes': ["former contractor's unauthorized "
'data upload',
'lack of monitoring for data '
'exfiltration',
'delayed detection of breach']},
'recommendations': ['strengthen third-party vendor management',
'implement stricter data handling policies',
'conduct regular audits of data access',
'improve incident response timelines',
'provide training on secure data sharing practices'],
'references': [{'date_accessed': '2024-08',
'source': 'ABC News',
'url': 'https://www.abc.net.au/news/2024-08-XX/nsw-flood-victims-data-breach-chatgpt/100XXXXX'},
{'date_accessed': '2024-08',
'source': 'NSW Reconstruction Authority Statement'}],
'regulatory_compliance': {'regulatory_notifications': ['internal review by RA',
'potential reporting '
'to Australian privacy '
'regulators (e.g., '
'OAIC)']},
'response': {'communication_strategy': ['public statement by RA',
'media interviews by NSW Minister for '
'Recovery',
'direct outreach to affected '
'individuals'],
'containment_measures': ['removal of data from ChatGPT',
'risk assessment'],
'incident_response_plan_activated': True,
'recovery_measures': ['notifications to affected individuals',
'support services for impacted residents'],
'remediation_measures': ['detailed investigation into shared '
'data and risks',
'process review by RA'],
'third_party_assistance': ['Cyber Security NSW',
'forensic analysts']},
'stakeholder_advisories': ['NSW Minister for Recovery (Janelle Saffin) issued '
'public apology',
'RA to provide updates to affected individuals'],
'threat_actor': ['former contractor of NSW Reconstruction Authority'],
'title': 'NSW Reconstruction Authority Data Breach Exposes Personal '
'Information of 3,000 Flood-Affected Residents',
'type': ['data breach',
'unauthorized data exposure',
'third-party misconduct'],
'vulnerability_exploited': ['lack of data access controls',
'inadequate contractor oversight',
'unauthorized data upload to external platform']}