Data Breach Notification

Notice published 13 May 2025

The Australian Human Rights Commission has been affected by a data breach. The Commission acted to address the breach as soon as it came to our attention. We sincerely apologise for any distress or harm this data breach may have caused.

What happened?

On 10 April 2025, the Australian Human Rights Commission became aware of a data breach that involved the unauthorised disclosure of attachments uploaded through its complaint webform on the Commission’s website. We understand that this affected complaint attachments uploaded to the Commission’s online complaint webform between 24 March 2025 and 10 April 2025. We understand that these documents were made publicly available and accessed between 3 April 2025 and 10 April 2025.

Subsequently, on 8 May 2025, the Commission became aware that some attachments uploaded through the Commission’s webforms for its Speaking from Experience Project, Human Rights Awards 2023 nominations and the National Anti-Racism Framework concept paper were also affected by this data breach. We understand that these documents were made publicly available and accessed between 3 April 2025 and 5 May 2025.

The disclosure was not the result of a malicious or criminal attack. We will provide updated information as our investigations continue.
 

What information was affected?

The breach involved attachments that individuals uploaded to webforms on our website. These documents may contain various types of personal information, including full names, email addresses, residential addresses, mobile numbers, employers and roles, work contact information, personal health information, schooling information, religion and photographs. Some attachments contain no personal information and others contain information that is already publicly available.

Am I affected?

To the best of our knowledge, you may be affected if you:

• Made a complaint that included attachments using the webform on our website between the dates of 24 March – 10 April 2025.
• Made a submission to the Speaking from Experience project using the webform on our website (March – September 2024). UPDATE 14 MAY: There were 3 attachments submitted through the Speaking from Experience project webform that were made publicly available and accessed online. All individuals affected in this instance have been notified. If you made a submission through the webform to the Speaking from Experience project and have not been contacted by the Commission, you are not affected.
• Made a nomination to the Human Rights Awards 2023 using the webform on our website (3 July 2023 – 4 September 2023). UPDATE 16 MAY: The Commission has directly notified those individuals affected who are required to be notified under the Privacy Act.
• Made a submission to the National Anti-Racism Framework concept paper using the webform on our website (October 2021 – February 2022). UPDATE 16 MAY: The Commission has directly notified those individuals affected who are required to be notified under the Privacy Act.

How many documents are affected?

The Commission's best information is that around 670 documents were made potentially accessible in error. Of these, around 100 documents were accessed online, for example by search engines such as Google or Bing. Many of these documents contain personal information. Some documents contain no personal information and others contain information that is already publicly available.

We have taken action to address the disclosure including having relevant documents removed from search engines.

How many people are affected?

We are working as hard as we can to assess the number of people affected.

What is the Australian Human Rights Commission doing about this?

The Commission has established a taskforce to respond to the data breach and has taken immediate steps to prevent any further access to the affected documents. We have treated this data breach with the highest level of concern and are carrying out a thorough and comprehensive investigation and review of the impacted data, with the support of our experts. We have notified the Office of the Australian Information Commissioner (OAIC) about the data breach.

We have taken action to address the disclosure including having relevant documents removed from search engines.

While our investigation continues, the Commission has taken the precaution of disabling all webforms on the Commission’s website.

We are committed to supporting everyone affected by this data breach.

How will I know if my data has been accessed?

We are working to determine who has been affected by the data breach. We will directly notify individuals affected by the data breach for whom we have contact information. You may be contacted by us with details of the information we understand was involved and the supports available to you.

If you think you may have been affected, you can contact us for more information. Our contact details are below.

Can I still submit complaints even though the webform has been removed?

If you need to submit a complaint to us, you can still download a PDF or Word version of the form, complete it and return, by email or post.

Can I still submit concerns about non-compliance with the positive duty?

If you would like to submit information about concerns that an organisation or business is not complying with the positive duty to prevent workplace sexual discrimination, harassment and other unlawful behaviour, you can find out how here.

What can you do stay safe?

• Remain vigilant to scams or suspicious communications.
• Do not click on links or respond to messages that appear suspicious.
• Monitor online accounts for any unusual activity.
• Report anything unusual such as identity verification requests or unexpected communications to local authorities.
• Do not share any information without independently verifying the identity of the requester.
• If available, use email filtering tools to block phishing attempts.
• Change passwords for any online accounts associated with your email address.
• Request a credit report from Equifax, illion, or Experian and consider placing a temporary credit ban if you suspect misuse.
• If possible, enable Multi-Factor Authentication on online accounts.
• If you notice any suspicious activity, contact IDCARE for support and to be connected to a specialist identity and cyber security counsellor.

Further support is available from the following organisations:

• For guidance on how to protect yourself from scams: Scamwatch
• Tips to protect your privacy: OAIC Guidance
• General advice on how to protect yourself online: Protect Yourself
• If you receive unwanted telemarketing calls, consider registering your number with the Australian Communications and Media Authority’s ‘Do Not Call register’ by visiting www.donotcall.gov.au/consumers/register-your-numbers.

For mental health information and support:

Beyond Blue

• Online peer support community- external site
• Call a counsellor: 1300 224 636
• Chat online- external site
• Email support

Kids Helpline

• Phone: 1800 55 1800
• My Circle social platform- external site
• WebChat counselling- external site
• Email counselling

Next Steps

If you have any concerns about what has happened or would like further information, you can contact us by:

Data Breach Helpline - 1800 512 254  Operating hours 9:00am - 5:00pm (AEST).

Or

Email us at privacy@humanrights.gov.au