A NSW Treasury employee has been arrested and charged over the alleged theft of more than 5,600 sensitive government documents in what the state government has declared a significant cyber incident.

NSW Treasurer Daniel Mookhey confirmed on Tuesday that internal security monitoring detected the suspected transfer of a large cache of confidential commercial and financial documents to an external server. The alleged transfers occurred between 10 and 14 April 2026.

NSW Police received a report of the breach on Sunday 19 April. Detectives from the State Crime Command's Cybercrime Squad launched an investigation under Strike Force Civic.

At about 1.30pm on Monday 20 April, detectives arrested a 45-year-old man in Sydney's CBD. He was taken to Day Street Police Station. Officers later executed a search warrant at a home in Homebush West, allegedly seizing electronic devices including a hard drive.

The man was charged with access/modify restricted data held in computer. He was granted conditional bail and is due to appear at Downing Centre Local Court on 3 June 2026.

According to the Agency's Information Governance Framework, its authorised document repositories include SharePoint, Content Manager, Aurion and TechnologyOne.

Commercial team at the centre

Mookhey said the accused had worked in NSW Treasury's commercial team for approximately three years. That unit oversees major government transactions, procurement and private sector negotiations.

"The Treasury commercial team is involved in a lot of the government's commercial relationships," Mookhey told reporters. "They also are involved in a variety of significant government transactions or negotiations with the private sector."

The Treasurer said the files involved spanned multiple NSW Government departments and projects, covering both current and past government negotiations and interactions.

"It is commercial in confidence; information that involves current government negotiations, previous government negotiations, and interactions," Mookhey said. "That's the reason why it was declared to be a significant cyber incident."

Mookhey added that the employee had undergone standard vetting procedures at the time of hiring, with no concerns identified. "An incident like this requires us to re-examine every system that applies to the NSW Treasury," he said.

NSW Police said they believe all the allegedly stolen data has been located and secured. There was no external compromise to the agency's system, police said.

The NSW Chief Cyber Security Officer, Marie Patane, is coordinating the whole-of-government response in line with the state's cyber security plan. Mookhey confirmed there is no current impact to any NSW Government service.

Mookhey said it was not yet clear whether third-party information was among the documents involved. "Whether that includes third party information, it's something that, of course, we are working through as we speak," he said.

"It is serious and it has been taken seriously," Mookhey told reporters. "Everyone knows cyber risks are going up - that's affecting government, that's affecting business, that's affecting the non-for-profit sector, it's affecting everyone."