​NSW Police tells TrainLink some credit info in database breach could be used

An investigation into the extent of NSW TrainLink's online reservation system security breach is currently underway.

NSW TrainLink's database linked to its online reservations system containing limited credit card information has suffered a security breach, and has been temporarily closed.

In an updated statement released on Monday, NSW TrainLink said NSW Police has informed the agency there is a risk the limited credit information in the compromised database, in some circumstances, could be used.

The agency said it is currently working with NSW Police and financial institutions to investigate the breach of its online reservations system, and will contact customers if their cards have been compromised.

"NSW TrainLink has established an incident response group and is working around the clock to assess the impact of this security compromise and will keep customers updated as the situation develops," it said.

The agency also warned customers to be "extra vigilant" to any unsolicited requests for personal information, saying they should notify their financial institution if there are any unusual activities on their card.

However, NSW TrainLink assured its online reservations system is a separate system from the one used to process financial transactions and its Opal card system, which were not impacted by the breach.

Details on how many customers may potentially be affected or when the compromise was discovered is unknown. ZDNet was informed by NSW TrainLink that given investigations are underway, no further information can be provided.

NSW TrainLink said it has also notified the Information and Privacy Commissioner, and is engaging with AusCERT, Australia's Cyber Emergency Response team to manage the investigation.

ZDNet has previously revealed Opal card data could be accessed by police without a warrant if there is reasonable evidence that an offence has occurred.

A report, released in May last year, revealed the New South Wales Police and the Department of Immigration have already been provided access to data recorded by the Opal transport smart card.

Transport for NSW confirmed to ZDNet at the time there had been 166 requests from NSW Police, and 15 requests from the Department of Immigration for personal data from the Opal card system since December 2014, with 57 disclosures. There were 19 disclosures related to offences, 32 disclosures on reasonable grounds for offences, and six requests related to missing persons.

The cards themselves do not store data, but Transport for New South Wales keeps personal information, trip history, and other data collected on passengers for seven years.

In February, Transport New South Wales awarded AU$1.8 million contract to Versent, which Minister for Transport and Infrastructure Andrew Constance said would provide a platform for app developers across the world to innovate and deliver new ideas to customers.

"Already we've seen over 3 million downloads of real-time transport apps to date and 90 million requests for timetable data each month," he said. "We're taking this even further by building a platform that will make information accessible to anyone who wants it.

"To start, we will make real-time transport data open for everyone to access -- but with big developments in areas like Opal data -- the possibilities are endless. Once we get the platform up and running by mid-year, we will work with the community to prioritise the data we make available."