The Australian Human Rights Commission (AHRC) disclosed a data breach incident where private documents leaked online and were indexed by major search engines.
Many of the hundreds of documents exposed online contained private, sensitive information, like names, contact information, health details, schooling, religion, employment info, and photographs.
AHRC is an independent statutory body established by the Australian Government, with the primary role of promoting and protecting human rights in the country.
It receives and investigates discrimination complaints, monitors compliance with international human rights obligations, conducts inquiries and research, and oversees related projects and initiatives.
Although the organization does not have court powers, it receives complaints from the public and tries to resolve them through conciliation, while it refers unresolved cases to federal courts.
According to an announcement published on the AHRC website, the breach impacts submissions between the following dates:
- complaint webform between March 24, 2025, and April 10, 2025
- ‘Speaking from Experience’ project between March 2024 and September 2024
- submissions to the National Anti-Racism Framework concept paper between October 2021 and February 2022
A total of 670 documents have been exposed online and accessed between April 3 and May 5, 2025.
While some documents already public personal information, others expose sensitive data that may be damaging for the individuals submitting it in the context of the topics AHRC deals with.
The organization said the incident was not a result of malicious external attack, but more details will become available in a future update.
Meanwhile, AHRC has requested the immediate removal of the indexed files from search engines and disabled all web forms to prevent a subsequent exposure due to underlying misconfigurations.
A dedicated taskforce and investigation are underway, while the Office of the Australian Information Commissioner (OAIC) has also been notified.
Those who are determined to have been impacted by this incident will be notified personally, and a helpline has been set up to offer support.
Apart from the standard “watch out for scams or suspicious activity” advice, AHRC also lists links to mental health support platforms, indicative of the distress that such a data exposure may cause to affected individuals.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.