The Australian Human Rights Commission (AHRC) disclosed a data breach involving attachments from its online complaint form. Search engines accidentally indexed these attachments, making them publicly accessible. An independent investigator said the breach occurred between April 3 and April 10, 2025. Attachments uploaded from March 24 to April 10, 2025, were affected.
The breach also involved documents related to key projects. These include the National Anti-Racism Framework concept paper and the Speaking from Experience Project. Nominations for the Human Rights Awards 2023 were also exposed. The exposed documents contained personal information such as names, addresses, and email contacts. They also included phone numbers, job titles, health data, education, religion, and photos. Some attachments had no personal data or contained publicly available information.
The breach affects people who submitted attachments during the stated periods. It also impacts those who nominated for Human Rights Awards between July and September 2023. The breach also affected contributors to the Anti-Racism Framework from October 2021 to February 2022.
AHRC found three Speaking from Experience Project attachments publicly exposed and accessed online. The Commission notified all individuals affected by these specific exposures. The Commission determined that people who did not receive notifications were safe from impact. They estimate that a mistake made about 670 documents publicly accessible. Search engines like Google and Bing accessed approximately 100 of these documents.
AHRC is working to remove these documents from search results. They continue identifying all affected individuals. The Commission has reported the breach to relevant authorities for oversight. AHRC is committed to protecting personal information.
They are reviewing procedures to avoid such incidents in the future.
