Data breach notification

The Australian Human Rights Commission has been affected by a data breach concerning attachments uploaded to the Commission’s web forms on its website.  

The Commission’s best information is that around 670 documents were made potentially accessible in error. Of these, around 100 documents were accessed online, for example by search engines such as Google or Bing. The Commission acted to address the breach as soon as it came to our attention.  

The Commission takes the issue of privacy and data protection very seriously. It is critical that people are able to securely share personal and sensitive information with the Commission via our website. We sincerely apologise to people who may be affected. The Commission is contacting affected individuals for whom we have contact information to advise them of the breach. 

We are working as hard as we can to fully investigate and address the breach. The Commission has reported the unauthorised disclosure of personal information to the Office of the Australian Information Commissioner.  

More information about the breach is available on the website, including advice on how to protect personal information online and numbers for support. We will keep the website updated with any new information. 

Information about the data breach 

The best information we currently have is: 

• On 10 April 2025, the Commission became aware of the unauthorised disclosure of attachments uploaded through its complaint webform on the Commission’s website. 
• We immediately acted, including by launching an investigation and disabling the attachment function on our complaint form.
• The disclosure was not the result of a malicious or criminal attack. We will provide updated information as our investigations continue.
• We originally understood the breach affected a small number of complaint attachments uploaded to the complaint webform on our website between 24 March 2025 and 10 April 2025. We understand that these documents were made publicly available and accessed between 3 April 2025 and 10 April 2025. 
• Subsequently, on 8 May 2025, we became aware that attachments uploaded through other webforms on the Commission’s website for our Speaking from Experience Project (March – September 2024), Human Rights Awards 2023 nominations (3 July 2023 – 4 September 2023), and National Anti-Racism Framework concept paper (October 2021 – February 2022) were also affected by this data breach. We understand that these documents were made publicly available and accessed between 3 April 2025 and 5 May 2025. 
• Many of the attachments contain personal information. Some attachments contain no personal information and others contain information that is already publicly available. 
• In relation to the Speaking from Experience project, only 3 attachments were made publicly available and accessed online. All individuals affected in this instance have been notified. 
• We have taken action to address the disclosure including having relevant documents removed from search engines.
• We have suspended the ability to submit information through webforms on the Commission’s website while ensuring there are alternative ways to securely share information. 

We are undertaking work to determine affected individuals and are notifying those affected by the data breach where we have contact details. 

Check this page for updates as the investigation progresses. 

ENDS | Media contact: media@humanrights.gov.au or 0457 281 897 (only calls, no texts please)