Transport for NSW has been forced to close down the online booking platform for its Trainlink service after attackers infiltrated the system and caputured some customer credit and personal data.
While Transport for NSW confirmed it was investigating the breach, it did not provide any further detail, including when the attack occurred and how many customers were affected.
Opal transport cards are not affected as they are kept on a separate system, the agency said.
The transport authority initially said the NSW Trainlink database did not contain "sufficient credit card information for it to be used in any transaction," but later reversed its statement.
After advice from the police, it said it now believes some customer credit card data could in fact be used by the unnamed attackers. It also indicated personal information had potentially been accessed.
The agency has called in both the police and AusCERT to help investigate the data breach and assess how much data has been accessed. It said it has also engaged the NSW Privacy Commissioner and financial institutions.
NSW Trainlink warned customers to be alert to phishing attacks and messages from scammers that ask for personal information or credit card details.
The authority also asked customers to keep an eye out for unusual activity on their credit cards.
The NSW Trainlink online booking system remains closed, with no time estimate for the restoration of service. Customers are asked to call 13 22 32 to make reservations.
iTnews has contacted Transport for NSW for further information on the breach.
Update May 30: The NSW Privacy Commissioner has advised that personal and financial details were likely accessed in the attack.
Elizabeth Coombs said specifics were unclear and the Transport department was continuing to investigate.
"... the department has been advised that there is a potential risk that personal and financial information may have been accessed, but the level of that risk is still being determined," she said in a statement.