Incident Involving Disclosure of Documents by the Australian Human Rights Commission to Search Engine Platforms

The Australian Human Rights Commission (AHRC) has confirmed a serious data breach involving the unauthorized exposure of sensitive documents that were subsequently indexed by major search engines.

The breach includes hundreds of documents containing private information such as names, contact details, health records, educational backgrounds, religious affiliations, employment history, and photographs. The AHRC, an independent statutory body established by the Australian Government, is tasked with the promotion and protection of human rights across the nation. It investigates discrimination complaints, monitors adherence to international human rights commitments, conducts inquiries, and facilitates relevant research projects and initiatives.

Although it lacks judicial authority, the AHRC processes public complaints, striving for resolution through conciliation and referring unresolved matters to federal courts when necessary.

The AHRC’s announcement revealed the breach affects submissions made between the following dates:

– Complaints filed via web form from March 24, 2025, to April 10, 2025.
– Contributions to the “Speaking from Experience” project from March 2024 to September 2024.
– Submissions for the National Anti-Racism Framework concept paper from October 2021 to February 2022.

A total of 670 documents were discovered exposed online, and these were accessed between April 3 and May 5, 2025. While certain documents contained information that was already publicly available, others revealed private and sensitive data that could have serious repercussions for the individuals who provided it, particularly given the nature of the topics addressed by the AHRC.

The organization stated that the breach was not a result of a malicious attack from external entities, affirming that more details about the incident will be disclosed in due course. In response to the breach, the AHRC has requested the immediate delisting of the compromised files from search engine results and has temporarily disabled all online submission forms to prevent further exposure due to possible configuration issues.

A dedicated taskforce has been established to investigate the incident, and the Office of the Australian Information Commissioner (OAIC) has been informed. Individuals affected by this breach will receive direct notifications, and a dedicated helpline has been created to offer necessary support.

In addition to standard guidance on remaining vigilant against scams or suspicious activities, the AHRC has also provided resources for mental health support, recognizing the potential distress caused by such a breach for the individuals involved.