‘Deeply sorry’: NSW contractor uploaded 3000 flood victims’ data to ChatGPT
The NSW government says it is “deeply sorry” after sensitive information of thousands of flood victims was uploaded to ChatGPT in a major data breach.
The NSW government says it is “deeply sorry” after sensitive information of thousands of flood victims was uploaded to ChatGPT by a former contractor in a major data breach.
Email addresses, phone numbers and “other personal and health information” belonging to up to 3000 individuals who had applied to the Northern Rivers Resilient Homes Program (RHP) was shared to the unsecured artificial intelligence platform in March this year, the NSW Reconstruction Authority announced on Monday.
“There is no evidence that any information has been made public, however this cannot be ruled out and a thorough investigation is underway by Cyber Security NSW,” the department said in a statement.
“We understand this news is concerning and we are deeply sorry for the distress it may cause for those who have engaged with the program.
“We will be contacting people this week with updates to let them know what has happened and whether they have been impacted or not.
“Since learning about the extent of this breach, we have engaged forensic analysts and are working closely with Cyber Security NSW to undertake an investigation to understand the scope and the risks arising from it.
“We expect the forensic analysis to be completed within the coming days. This will give us a clearer understanding of the extent of the breach and the specific data involved.
“We know people will want to know exactly what has been shared and we are doing all we can to get that information to them as soon as possible.
“So far, there is no evidence that any of the uploaded data has been accessed by a third party.”
MORE: Australia’s mould crisis: The suburbs most at risk
The data shared was a Microsoft Excel spreadsheet with 10 columns and more than 12,000 rows of information.
“All of it must be thoroughly reviewed to understand what may have been compromised,” the department said.
“The process is highly complex and time consuming and we acknowledge that it has taken time to notify people. Our focus has been on making sure we have all the information we need to notify every impacted person correctly.
“We understand that people will have questions about how this could have happened and why it has taken time to notify impacted people. We have initiated an independent review of how this breach was identified and managed and will share those findings once it is completed.”
The department said once it became aware of the full scope of the breach it “took steps to contain any further risks”.
“We began working closely with Cyber Security NSW and engaged forensic analysts,” it said.
“We are undertaking detailed investigations to understand what was shared, what the risks are and who from the program is impacted.
The NSW Reconstruction Authority says it will be contacting people this week with the assistance of ID Support NSW to “confirm what information has been affected and to offer personalised support”.
“We are working with Cyber Security NSW to monitor the internet and dark web to see if any of the information is accessible online,” it said.
“The NSW Privacy Commissioner has also been notified.
“We have reviewed and strengthened internal systems and processes and issued clear guidance to staff on the use of non-sanctioned AI platforms. Safeguards are now in place to prevent future incidents.”
MORE: What your home will be worth in 2030
ID Support NSW, the state government agency that assists people affected by data breaches, can provide advice on compromised identification documents and how to restore identity security and share “options for additional support and counselling services”.
“The NSW Reconstruction Authority will provide compensation for any reasonable out of pocket expenses if any compromised identity documents need to be replaced,” the department said.
“We will continue to share updates and provide support to those who have been impacted.
“We understand the seriousness of this breach and are deeply sorry for the potential impact on people whose personal and sensitive information has been disclosed.
“We remain fully committed to protecting their privacy and restoring trust in the Resilient Homes Program and the NSW Reconstruction Authority.”
The Northern Rivers Resilient Homes Program, a joint NSW and federal government initiative, offers assistance to those affected by the record floods that devastated the NSW region in early 2022.
Thirteen people died, 4055 properties were destroyed and nearly 11,000 were damaged, with 4000 people evacuated from Lismore alone.
The program offers financial support for either home buybacks, raising or retrofitting.
Unauthorised use of commercially available AI tools like ChatGPT by government workers has raised growing concerns over privacy risks.
Last year, Victoria’s child protection agency was ordered to ban staff from using generative AI after a worker uploaded sensitive information, including the name of an at-risk child, to ChatGPT.
Originally published as ‘Deeply sorry’: NSW contractor uploaded 3000 flood victims’ data to ChatGPT
