Australian Human Rights Commission reports data breach

The Australian Human Rights Commission (AHRC) is reporting a data breach affecting attachments uploaded through multiple web forms on its official website. The incident, first detected on April 10, 2025, involved exposure of sensitive documents containing personal information of individuals who uploaded files via online forms of the Commission.

The data breach appears to be the result of a technical configuration error that inadvertently made private attachments publicly accessible. Initially, the Commission identified that attachments uploaded to its complaint webform between March 24 and April 10, 2025, had been exposed. These documents were publicly available and potentially indexed by search engines between April 3 and April 10, 2025.

Further investigation on May 8, 2025, revealed a more extensive scope of the breach, affecting additional web forms associated with three separate AHRC initiatives: 

• the Speaking from Experience Project (March–September 2024),
• Human Rights Awards 2023 nominations (July 3–September 4, 2023), 
• National Anti-Racism Framework concept paper submissions (October 2021–February 2022). 

These additional documents were exposed between April 3 and May 5, 2025.

Approximately 670 documents were potentially exposed. Approximately 100 documents were confirmed to have been accessed online through search engines such as Google and Bing. Many documents contained personal information of varying sensitivity but some contained no personal data or included information that was already publicly available.

The potentially compromised personal information includes:

• Full names
• Email addresses
• Residential addresses
• Mobile phone numbers
• Employer details and professional roles
• Work contact information
• Personal health information
• Educational and schooling information
• Religious affiliations
• Photographs

The number of affected individuals is not disclosed.

All attachment functionality on the complaint form was immediately disabled, and subsequent to the expanded discovery, all webforms on the Commission's website were suspended. Alternative methods for information submission remained available.

The Commission has formally reported the incident to the regulators and actively worked with search engines to have the exposed documents removed from search results.