Case Study: NSW Reconstruction Authority
The March 2025 NSW Reconstruction Authority breach demonstrates how a single untrained employee using consumer AI can expose sensitive personal data and compromise an entire organisation.
Incident Timeline Explorer
Click each step to expand the details of how the breach unfolded.
Key Takeaway
A single untrained employee can expose an entire organisation. The NSW Reconstruction Authority breach was not a sophisticated cyber attack — it was a well-intentioned staff member trying to do their job faster. Without training, policy, and technical controls, this scenario will repeat across every government agency.
Control Mapping Exercise
For each timeline step, select the control that would have prevented or mitigated the incident.
Select a control for each step, then check your answers.
Defence in Depth
No single control prevents all shadow AI risks. Effective protection requires layered defences: policy sets the rules, training builds awareness, technical controls enforce boundaries, and monitoring catches what slips through. Each layer compensates for the weaknesses of the others.