Joshua Rogers successfully hacked into the PTV's website to expose its vulnerability. Photo: Simon Schluter
The security flaw in the PTV website was discovered by schoolboy Joshua Rogers, 16, who used a simple hacking technique to unearth a database containing the personal records of customers of the former Metlink online store.
The database includes full names, addresses, home and mobile phone numbers, email addresses, dates of birth, seniors card ID numbers, and nine-digit extracts of credit card numbers.
Joshua, a self-described ''white hat'' security researcher, said he was motivated by a desire to improve online security. He first contacted PTV by email on Boxing Day, but received no response. He later contacted Fairfax Media.
More than a week after Joshua made contact with PTV, it still had not responded, but this week it referred the matter to Victoria Police and Privacy Victoria following inquiries by Fairfax Media.
The method Joshua used to enter PTV's site has been described by cyber security experts as one that is easy to guard against.
It is not known if others have previously hacked the website, which is the primary online source for information about train, tram and bus timetables, myki, and current and planned public transport projects. Metlink was the Transport Department's ''shop front'' for public transport users before Public Transport Victoria's formation in 2012. An estimated 600,000 entries were found in the database.
Phil Kernick, of cyber security consultancy CQR, said PTV had failed to take proper care to secure its site from potential hacking.
''It's truly disappointing that a government agency has developed a website which has these sorts of flaws,'' Mr Kernick said.
''So if this kid found it, he was probably not the first one. Someone else was probably able to find it too, which means that this information may already be out there.''
Ty Miller, director of Threat Intelligence, which locates security flaws in websites so they can be fixed, said the type of personal information hidden on PTV's site was sought by criminal hackers.
''Most of the stuff is personally identifiable information that is often used for things like identity theft, for example, ringing up your bank, and then answering their basic questions - like, 'what's your birthday, what's your address','' Mr Miller said. ''That then allows you to maybe reset a password for internet banking and then make fraudulent transactions.''
Fairfax Media gave PTV time to secure its site before publishing.
A spokesman said the personal data was no longer accessible or available via any online system. He added that the database was not linked to myki online accounts and that no usable credit card details were stored in the database.