The Australian Human Rights Commission (AHRC) has revealed a significant data breach incident, disclosing that hundreds of private documents have leaked online and were indexed by major search engines. These documents contained sensitive personal information, such as names, contact details, health records, and employment information. This alarming breach raises concerns about the privacy and security of individuals who had submitted their information to the commission.
Established by the Australian Government, the AHRC serves as an independent statutory body tasked with promoting and protecting human rights in Australia. The commission is responsible for receiving and investigating discrimination complaints, monitoring compliance with international human rights obligations, and conducting various inquiries and research projects. Although it lacks court powers, the AHRC attempts to resolve complaints through conciliation while referring unresolved cases to federal courts.
The breach affects submissions made between specific dates, including the complaint webform submitted between March 24, 2025, and April 10, 2025, as well as contributions to the ‘Speaking from Experience’ project and the National Anti-Racism Framework concept paper. In total, 670 documents were exposed online and accessed from April 3 to May 5, 2025. While some of the documents were already public, others contained sensitive information that could potentially harm the individuals involved, especially considering the nature of the issues addressed by the AHRC.
In an announcement on their website, the AHRC stated that the incident was not due to a malicious external attack, and further details are expected to be released in a future update. In response to the breach, the AHRC has requested the immediate removal of the indexed files from search engines and has disabled all web forms to prevent further exposures due to underlying misconfigurations. A dedicated taskforce is currently investigating the incident, and the Office of the Australian Information Commissioner (OAIC) has been notified of the breach. Affected individuals will be notified personally and can access a helpline set up to provide support. AHRC has also provided resources for mental health support, acknowledging the distress that such data exposure may cause victims.