Australian Human Rights Commission suffers data breach exposing sensitive personal information

The Australian Human Rights Commission (AHRC) has confirmed a significant data breach that resulted in the online exposure of hundreds of sensitive documents, many of which were indexed by major search engines. The documents, some containing highly personal information, were accessible between April 3 and May 5, 2025.

AHRC, an independent statutory body tasked with promoting and protecting human rights in Australia, disclosed the breach through an official announcement on its website. The organization clarified that the exposure was not due to a malicious cyberattack but attributed it to internal misconfigurations. Further details are expected in an upcoming update.

The breach affected three distinct sets of submissions: complaint webforms submitted between March 24 and April 10, 2025; contributions to the ‘Speaking from Experience’ project between March and September 2024; and submissions to the National Anti-Racism Framework concept paper gathered between October 2021 and February 2022.

In total, 670 documents were exposed online, many of which included private and sensitive information such as full names, contact details, health information, religious affiliations, employment history, schooling background, and photographs. While some submissions were intended for public viewing, others contained confidential material related to personal experiences of discrimination, racism, or other sensitive human rights concerns.

Recognizing the potential harm to those affected, AHRC emphasized that steps are being taken to contain the incident. Immediate actions included disabling all web forms to prevent further exposure and requesting the removal of indexed files from search engines. The Commission has launched an internal investigation supported by a dedicated taskforce and has notified the Office of the Australian Information Commissioner (OAIC).

The AHRC is in the process of contacting individuals whose data was compromised. A helpline has been established to provide assistance and emotional support to affected parties, reflecting the potentially distressing nature of the breach.