Personal information of Australians such as names, contact details, health information, photos, and addresses have been mistakenly made available online by the Australian Human Rights Commission.
Around 670 documents held by the commission were “potentially accessible” on the public internet between April and May 2025, with around 100 of them confirmed to have been accessed through search engines, the Commonwealth-funded body announced on Wednesday.
Other information featured in some of the documents included details of individuals’ employers, work roles, and information about their education history and religious beliefs.
Some of the documents contained no personal information, the commission said, while others contained information which was already publicly available.
The commission has not confirmed how many people may have had their information leaked in the accidental disclosure.
“We sincerely apologise to people who may be affected,” the Australian Human Rights Commission said in a statement.
“The commission is contacting affected individuals for whom we have contact information to advise them of the breach.”
What caused the breach?
The commission said it was made aware on 10 April that some attachments uploaded through a complaints form on its website had been inadvertently made publicly available.
The commission has not stated whether the issue was the result of human error or a system fault.
“We immediately acted, including by launching an investigation and disabling the attachment function on our complaint form,” the commission said.
“The disclosure was not the result of a malicious or criminal attack.”
Attachments uploaded through the commission’s online complaints form between 24 March and 10 April 2025 were affected, with those documents made publicly available between 3 April and 10 April, the commission said.
Some attachments uploaded through other forms on the commission’s website — including award nominations and a project on workplace sexual harassment — were also made public.
The commission said it was made aware of those documents on 8 May, after they were left publicly viewable between 3 April and 5 May.
The Australian Human Rights Commission is an independent organisation established by federal legislation. Image: Australian Human Rights Commission
Only three attachments from the sexual harassment project, dubbed the ‘Speaking from Experience’ project, had been accidentally disclosed, with anyone whose information was leaked in those documents already notified, the commission said.
“We have taken action to address the disclosure including having relevant documents removed from search engines,” it added.
“We have suspended the ability to submit information through webforms on the Commission’s website while ensuring there are alternative ways to securely share information.”
People who believed they may have been affected by the breach should “remain vigilant to scams or suspicious communications”, said the commission, which has set up a helpline for concerned individuals.
The organisation added that it took privacy and data protection “very seriously” and had reported its unauthorised disclosures to the federal regulator, the Office of the Australian Information Commissioner (OAIC).
Government agencies report second-most data breaches
Australian government agencies reported the second-most data breaches of any sector between July and December 2024, representing 17 per cent of all breaches according to the OAIC’s latest statistics.
Government agencies were second only to health service providers, which accounted for 20 per cent of all breach notifications.
Australian Privacy Commissioner Carly Kind said businesses and government agencies needed to “step up privacy and security measures”.
“Australians trust businesses and government agencies with their personal information and expect it to be treated with care and kept secure,” she said.
“Individuals often don’t have a choice but to provide their personal information to access government services.
“This makes it even more important that agencies keep personal information secure and have an action plan in place should a breach occur.”
