The Australian Human Rights Commission (AHRC) has confirmed a serious privacy breach that left sensitive documents publicly accessible online for over a month.
Between March 24 and April 10, 2025, about 670 documents submitted through the AHRC’s online forms were exposed to the public internet. At least 100 of them were viewed—including by search engines like Google and Bing.
What Was Exposed?
The leaked files included deeply personal information:
- Full names and contact details
- Street addresses and mobile numbers
- Workplace information, including employers and job roles
- Health details, education history, religious affiliation, and photographs
These documents came from submissions to various AHRC initiatives, including:
- The Speaking from Experience Project
- Human Rights Awards 2023 nominations
- A National Anti-Racism Framework concept paper
This wasn’t a cyberattack. It was a publishing error—one that made confidential attachments submitted through online forms publicly searchable.
The Commission found the breach on April 10 and took immediate steps to shut down the exposed files, investigate the issue, and limit the damage. The attachment upload feature on the complaints form was also disabled.
What AHRC Is Doing Now?
The Commission reported the breach to the Office of the Australian Information Commissioner (OAIC) and launched an internal response task force.
Here’s what’s been done so far:
- All online forms on the AHRC site have been taken down as a precaution
- Affected documents have been removed from public access and search engine results
- Individuals impacted by the breach are being notified directly, where possible
- Guidance on how to protect personal data has been published on the AHRC website
In the meantime, people can still file complaints or nominations by downloading a PDF or Word version of the forms and submitting them by email or post.
A Broader Problem: Human Error in Government Data Handling
This breach is part of a troubling pattern. Government agencies in Australia are increasingly vulnerable to data handling errors.
According to the OAIC’s Notifiable Data Breaches report, government entities reported 100 out of 595 total data breaches between July and December 2024. Nearly a third of these incidents were caused by human error—often through mishandled emails or documents accidentally published online.
And the delay between the breach and its discovery isn’t uncommon. In this case, data started leaking on March 24, but the AHRC didn’t detect it until April 10. Public disclosure didn’t happen until more than a month after the breach began.
Information Commissioner Carly Kind stressed that government agencies need to detect and disclose incidents faster. “Timely action is critical,” she said, pointing out that many public sector bodies fall short of expectations in breach management.
How to Prevent It From Happening Again?
Security experts say the solution isn’t complicated—but it does require commitment. Agencies and organizations can reduce the risk of similar breaches with a few key practices:
- Tighten access controls: Limit who can see and upload sensitive data
- Audit systems regularly: Test for weak points and fix issues before they’re exploited
- Train staff: Make sure employees know how to handle personal data correctly
- Have a breach plan: Create a step-by-step response plan for when things go wrong
- Limit data collection: Only ask for the information that’s truly needed—and don’t keep it longer than necessary
These are basic steps. But when followed consistently, they can go a long way in protecting people’s private information—especially in sectors tasked with upholding human rights.
As the AHRC works through its response, the incident serves as a wake-up call for all agencies handling sensitive public data. The cost of inaction, even when unintentional, can be serious—both for the individuals affected and for public trust in government.
