Australian Human Rights Commission discovers data leak

The Australian Human Rights Commission announced on Wednesday that it has been affected by a data breach concerning attachments uploaded to the Commission’s web forms on its website.

The Commission believes that around 670 documents were made potentially accessible in error. Of these, around 100 documents were accessed online, for example by search engines such as Google or Bing. The Commission says it acted to address the breach as soon as it became aware.

“We sincerely apologise to people who may be affected. The Commission is contacting affected individuals for whom we have contact information to advise them of the breach,” the Commission said in a news release. “The Commission has reported the unauthorised disclosure of personal information to the Office of the Australian Information Commissioner.”

More information about the breach is available on the website, including advice on how to protect personal information online and numbers for support.

Information about the data breach

On 10 April 2025, the Commission became aware of the unauthorised disclosure of attachments uploaded through the complaint form on its website. The Commission launched an investigation and disabled the attachment function on the complaint form. The disclosure was not the result of a malicious or criminal attack, but a system error.

The Commission understands that the breach affected a small number of complaint attachments uploaded to the complaint form between 24 March and 10 April 2025. The documents were made publicly available and accessed between 3 April 2025 and 10 April 2025.

The Commission also discovered that attachments uploaded on other web forms for its Speaking from Experience Project (March–September 2024), Human Rights Awards 2023 nominations (3 July 2023–4 September 2023) and National Anti-Racism Framework concept paper (October 2021–February 2022) were also affected by this data breach. These documents were made publicly available and accessed between 3 April 2025 and 5 May 2025.

Many of the attachments contain personal information. Some attachments contain no personal information and others contain information that is already publicly available.

The Commission says it is undertaking work to determine affected individuals and is notifying those affected by the data breach where contact details are available.

Image credit: iStock.com/napong rattanaraktiya