Thousands of flood survivors in New South Wales, Australia, have had their personal details exposed after a former contractor to the NSW Reconstruction Authority uploaded sensitive data to ChatGPT.
The breach involves the Northern Rivers Resilient Homes Program, which was created to support residents impacted by the 2022 floods.
Through the program, the government offered options such as voluntary home buybacks, financial help to rebuild, or property upgrades aimed at improving resilience.
Now, applicants who sought relief through this initiative may be dealing with the consequences of a serious privacy failure.
More: ChatGPT Chats Leaked in Google Search After Discoverable Feature Misfires
Central to the incident is an Excel spreadsheet containing more than 12,000 rows of data.
The document, which was uploaded to ChatGPT between March 12 and 15, is believed to include information on as many as 3,000 people.
The compromised data includes names, phone numbers, email addresses, physical addresses, and some health-related information. According to the government, the upload was carried out without authorization.
Despite taking place over six months ago, the breach was not made public until this week, during a public holiday in NSW.
The delay in disclosure is a reminder of ongoing concerns around the speed and transparency of mandatory breach notifications.
More: Say Cheese to the Surveillance Engine
Cyber Security NSW has been tasked with reviewing the file. “Every row is being carefully reviewed to understand what information may have been compromised,” the authority stated.
It described the process as lengthy and complex, noting that it wanted to ensure affected people could be contacted properly. “Our focus has been on ensuring we had the right information to contact every impacted person accurately and completely.”
The agency said it expects the forensic review to finish shortly. “This will give us a clearer understanding of the extent of the breach and the specific data involved.”
Officials say there is currently “no evidence that any of the uploaded data has been accessed by a third party.”
However, AI platforms like ChatGPT are public tools operating outside the oversight of government systems. Once data is uploaded, confirming whether it has been seen or extracted becomes extremely difficult.
In response, the authority said it has strengthened internal processes and restricted the use of external AI tools. “We’ve reviewed and strengthened our internal systems and processes and issued clear guidance to staff on the use of unauthorized AI platforms, like ChatGPT,” it stated. “Safeguards are now in place to prevent similar incidents in future.”
Australian authorities continue to push for broader adoption of digital identity systems, including proposals to require online age and ID verification for access to various platforms.
These measures are being framed as solutions to problems like online safety and fraud prevention.
However, incidents such as the recent NSW Reconstruction Authority data breach reveal how vulnerable these systems can be when personal information is placed in the hands of institutions that are not equipped to manage it securely.
If government agencies and their contractors are already failing to protect sensitive details like names, addresses, contact numbers, and health information, expanding digital ID requirements introduces greater risk. Forcing Australians to submit official identification just to access online services could significantly raise the stakes of future breaches.
Instead of improving public confidence, these recurring failures show that the systems responsible for managing digital identity are not yet ready for the level of trust being demanded.
