Australian Human Rights Commission Data Breach Exposes Sensitive Documents Submitted via Website

The Australian Human Rights Commission (AHRC) has disclosed a significant data breach involving the unintended public exposure of sensitive documents uploaded through its website.

The breach, which was not the result of a malicious or criminal attack, was caused by a technical misconfiguration that left document attachments submitted via multiple webforms temporarily accessible online—including by search engines like Google and Bing.

“The Commission’s best information is that around 670 documents were made potentially accessible in error. Of these, around 100 documents were accessed online,” the AHRC stated in its notification.

The AHRC first became aware of the issue on 10 April 2025, when it discovered that complaint attachments uploaded through its complaint webform had been unintentionally made public. The exposed documents were accessible online from 3 April to 10 April 2025.

“We immediately acted, including by launching an investigation and disabling the attachment function on our complaint form,” the Commission noted.

Subsequent investigation revealed that the breach extended beyond complaint forms. It also affected document uploads to other projects and initiatives hosted on the Commission’s site, including:

• Speaking from Experience Project (March – September 2024)
• Human Rights Awards 2023 nominations (3 July – 4 September 2023)
• National Anti-Racism Framework concept paper (October 2021 – February 2022)

The Commission acknowledged that the extended breach window lasted until 5 May 2025, when additional access instances were identified.

The attachments involved in the breach vary in sensitivity:

• Some contained personal and sensitive information
• Others included publicly available or non-personal data

Specifically, the Speaking from Experience project saw only 3 documents accessed, and all affected individuals have been notified.

“We are undertaking work to determine affected individuals and are notifying those affected by the data breach where we have contact details,” the Commission added.

Related Posts:

• European Commission Launches “AI Continent Action Plan” to Compete with US and China
• Google Faces Australian Government Investigation due to collecting user data
• Australian Department sues Facebook for violating privacy policy
• Chinese hackers attack Australian national universities, threatening national security