The Australian Human Rights Commission (AHRC) has disclosed a significant data breach that exposed hundreds of sensitive documents online, some of which were indexed by major search engines.
The documents included private information such as names, contact details, health records, employment data, and photographs.
According to AHRC’s official announcement, the breach affected submissions made through its complaint webform between March 24 and April 10, 2025, the ‘Speaking from Experience’ project between March and September 2024, and the National Anti-Racism Framework submissions from October 2021 to February 2022. A total of 670 documents were accessed between April 3 and May 5, 2025.
The AHRC emphasized that the incident was not the result of a malicious cyberattack, suggesting it was likely due to a misconfiguration or internal oversight. In response, the commission has disabled all public web forms and requested the urgent removal of the exposed files from search engine indexes.
The breach is particularly concerning given the highly sensitive nature of the data involved and the vulnerable communities the AHRC serves. The Office of the Australian Information Commissioner (OAIC) has been notified, and a dedicated investigation task force is underway. Affected individuals will be contacted directly, and a support helpline has been established.
The AHRC is also encouraging people to stay alert for phishing attempts or fraud and has shared links to mental health resources for those impacted by the breach.
