Human Rights Organization’s Complaint Forms Leaked Online

The Australian Human Rights Commission has reported a significant data breach involving unprotected online complaint forms, which inadvertently exposed the personal, healthcare, and demographic details of Australians for over a month. The breach was discovered on April 10, 2025, and was found to involve sensitive information from individuals who filed complaints between March 24 and April 10.

This incident also involved the disclosure of attachments uploaded via the Commission’s various online forms, including those related to the Speaking from Experience Project, Human Rights Awards 2023 nominations, and the National Anti-Racism Framework concept paper.

According to the Commission, approximately 670 documents were left accessible online due to the oversight. Of these, around 100 were accessed via search engines, raising concerns about unauthorized exposure to personal information. While some documents contained sensitive data, others were either devoid of personal information or comprised information that was already in the public domain.

The exposed forms detailed a range of personal and demographic information, such as names, email addresses, residential addresses, mobile numbers, employer details, personal health information, educational backgrounds, religious affiliations, and even photographs. The public availability of these forms spanned from April 3 to April 10, heightening the risk of misuse.

In response to this cybersecurity incident, the Commission has reported it to the Office of the Australian Information Commissioner and established a task force to assess the situation, identify the affected individuals, and remove sensitive information from search engine results.

As a precautionary measure, all online forms on the Commission’s website have been disabled. However, individuals can still submit complaints or nominations by accessing PDF or Word versions of the forms and sending them via email or traditional mail.

The timing of the Commission’s breach notification aligns with the release of the Office of the Australian Information Commissioner’s Notifiable Data Breaches report, highlighting that government agencies were involved in a significant number of data breaches—100 out of 595 notifications filed between July and December.

Human error has been identified as the primary cause of 29% of all reported breaches, often resulting from personal information being inadvertently shared or disclosed online. Information Commissioner Carly Kind noted that government entities are lagging behind other sectors in quick detection and reporting of cybersecurity incidents. The Australian Human Rights Commission’s data leak was undetected until more than two weeks after the initial exposure, emphasizing the need for improved incident response strategies.

In terms of technical implications, this incident could be associated with tactics from the MITRE ATT&CK framework, particularly ‘Initial Access’ and ‘Data Disclosure.’ The incident underscores the importance for organizations to maintain robust cybersecurity measures to protect sensitive information and respond effectively to any breaches that may occur.