The Australian Human Rights Commission (AHRC) has disclosed a serious data breach that resulted in hundreds of sensitive documents being publicly accessible online for weeks. The breach, which was first discovered on April 10, stemmed from an internal error that affected complaint forms submitted through the AHRC’s website.
Between March 24 and April 10, attachments uploaded via the commission’s online complaints form were mistakenly made publicly available between April 3 and April 10. A separate issue, discovered nearly a month later on May 8, revealed that attachments submitted through web forms for other AHRC initiatives—such as the Speaking from Experience Project, the Human Rights Awards 2023 nominations, and the National Anti-Racism Framework—were also exposed from April 3 to May 5.
Hundreds of Sensitive Files Exposed
According to the AHRC’s preliminary findings, around 670 documents were unintentionally published due to the technical oversight. These files may have contained highly sensitive personal details depending on what each individual submitted, including:
- Full names, emails, and phone numbers
- Residential and work addresses
- Employment details, including employer and job title
- School affiliations and personal health information
- Religious beliefs and photographs
While the commission stressed that the incident was not the result of a cyberattack or any external malicious activity, the exposed data could still present a high risk. The availability of such detailed personal information online could be a goldmine for scammers and social engineering attacks.
Investigation Underway, Web Forms Disabled
In response to the breach, the AHRC has set up a dedicated task force to assess the scope of the leak, identify affected individuals, and implement additional security measures. All online web forms on the commission’s website have been taken offline, and the Office of the Australian Information Commissioner (OAIC) has been formally notified.
The commission is encouraging anyone who may have used its website forms between March 24 and May 5 to remain alert and monitor their accounts for suspicious activity. They’ve also advised the public to be cautious of potential phishing attempts or other scams that might exploit the leaked information.
Concerned individuals can reach out to the AHRC directly via email at: [email protected]
This breach is a sobering reminder that even well-meaning institutions can fall victim to internal oversights—and that when personal data is involved, the consequences can ripple far beyond a simple mistake.
