Refugee and Immigration Legal Centre executive director David Manne said the breach itself is grounds for their protection claims to be recognised.
"Under Australian law, and indeed international refugee law, it is crystal clear that the disclosure of a person's identity after they've fled can result in a heightened risk of harm, and it can also constitute independent grounds for being granted protection," Mr Manne said.
Earlier this year, a file publicly and inadvertently made available on the Department of Immigration and Borders Protection website revealed the personal data of about 10,000 asylum seekers in detention.
Immigration has now sent a letter to a number of those exposed informing them they have 14 days to state - preferably in English - how that data breach could impact their ability to return home.
It's understood those who have received the letter will be forced to leave Australia if no response is provided.
But Mr Mannewarned said only a portion of those who are asked to provide a response would receive adequate support in lodging their statement.
"What we have in Australia is a complex processing regime, which presents great difficulties for many people who come here seeking asylum, great difficulties in relation to both understanding the legal and procedural requirements, and also great difficulties in being able to present their claims in a way that is expected and that's ordinarily in writing, in a language that often is not their own," he said.
Mr Manne said it was not clear how many of the asylum seekers affected by the data breach have been contacted by Immigration, nor whether children are also involved.
He said Immigration needed to explain more clearly how it intends to act once responses are received.
"One of the real concerns that remain is the lack of information about the process under which this data breach and any claims that people have arising out of it will be processed," he said.