The NSW Government has downgraded the "significant cyber incident" declared following an alleged insider data theft at NSW Treasury, with the state's Chief Cyber Security Officer confirming the breach has been contained and remediation measures are in place. The downgrade does not close the matter - criminal proceedings, an internal investigation and continuing legal reviews of potential procurement impacts remain unresolved.

NSW Chief Cyber Security Officer Marie Patane issued the downgrade on 4 May 2026, following confirmation by the government taskforce established to manage the incident. The taskforce confirmed the incident is now in the recovery phase and that agencies had implemented appropriate remediation measures.

A review of potential impacts on active and past government procurements has so far found no project has been adversely affected - though the government qualified this finding, noting that legal reviews are continuing.

A 45-year-old NSW Treasury employee was arrested on 20 April 2026 and charged with accessing and modifying restricted data held in a computer. He is alleged to have transferred more than 5,600 sensitive government documents to an external server between 10 and 14 April 2026. The documents spanned multiple NSW Government departments and included confidential commercial and financial information relating to current and past government procurement negotiations and private sector transactions.

Under the NSW Government's cyber security framework, a "significant cyber incident" declaration triggers a coordinated whole-of-government response led by the NSW Chief Cyber Security Officer.

The classification in this case was made on the basis of the sensitivity of the data involved and its reach across multiple agencies, rather than the source of the breach - the alleged exfiltration was an insider action rather than an external attack. Cyber Security NSW is required to lead the government's response to significant incidents, coordinating with NSW Police, affected agencies and emergency management bodies. The downgrade does not have a fixed formal definition but signals that the active incident response phase has concluded and standard agency-level recovery processes are sufficient.

The government's downgrade announcement does not disclose what specific remediation measures have been implemented, nor does it address the underlying governance and access control conditions that allowed more than 5,600 documents to be transferred over four days before detection. NSW Treasurer Daniel Mookhey said at the time of the initial disclosure that the incident required a re-examination of "every system that applies to NSW Treasury." No public update on the outcome of that review has been released.

The procurement integrity finding is the most consequential for the government's commercial relationships. The accused worked in Treasury's commercial team - the unit that oversees major government transactions, procurement and private sector negotiations. Treasurer Mookhey described the stolen files as covering "current government negotiations, previous government negotiations, and interactions" with the private sector.

The government's finding that no project has been "adversely affected" is qualified by "efforts to date" - legal reviews are continuing, and the determination is not described as final. Whether third-party commercial information was among the documents involved has not been confirmed.

The accused was granted conditional bail and is due to appear at Downing Centre Local Court on 3 June 2026. NSW Police have said they believe all the allegedly stolen data has been located and secured, and that there was no external compromise to Treasury's systems. The matter remains before the courts. The government has confirmed a parallel internal investigation is also continuing.

The alleged transfers occurred between 10 and 14 April 2026. NSW Treasury reported the matter to NSW Police on 19 April - nine days after the transfers allegedly began. The government has not publicly stated when internal monitoring detected the breach relative to when the transfers started, nor confirmed the detection mechanism that identified the exfiltration. Treasury's authorised document repositories include SharePoint, Content Manager, Aurion and TechnologyOne, according to the agency's Information Governance Framework.

The Treasury breach is the latest in a series of insider-related and data exposure incidents involving NSW Government agencies. In October 2025, a government contractor processed a spreadsheet containing personal and health data of up to 3,000 flood victims through ChatGPT.

In September 2025, nearly 600 medical staff had data potentially exposed after NSW Health left confidential documents publicly accessible online.

Earlier in 2025, a man was charged over the alleged access of nearly 9,000 sensitive NSW court documents, including apprehended violence orders and details of minors. The Australian Information Commissioner has noted that insider threats account for a significant proportion of data breach notifications received under Australia's Notifiable Data Breaches scheme, with public sector entities representing a disproportionate share of government-related notifications.