Transport for NSW (TfNSW) is the latest government department to admit it suffered a data breach as a result of a vulnerability in legacy Accellion software.
In an announcement posted on Tuesday, the state transport agency said some information was taken during an attack on its file transfer system.
"An active investigation is underway and identifying risks to customer information is our priority," Transport for NSW said.
"Transport for NSW will ensure that any notification process for those affected will be clearly communicated and secure."
The government was notifying affected residents by post.
A vulnerability in Accellion's legacy File Transfer Appliance (FTA) left it open to a SQL injection attack which saw attackers access credit licence information held by the Australian Securities and Investments Commission (ASIC).
Cyber Security NSW said in a notice that Transport for NSW and NSW Health were both "among agencies" affected by the Accellion vulnerability which was discovered in January.
"Forensic analysis by industry specialists has established there was no third-party access to major agency systems including the Driver Licence systems, the Opal travel systems, or electronic medical records systems used by public hospitals," Cyber Security NSW said.
"Scammers may try to capitalise on these events. Customers should not respond to unsolicited phone calls, emails or text messages related to any security matter."
The state security agency said the NSW government has "retired all instances of Accellion FTA" in response to last month's incident.
Richard Marr, Australia-Pacific General Manager of security firm Auth0, said the NSW government Accellion incident once again highlights a need for organisations to adopt a multi-faceted approach to cyber security.
"As public users and consumers give more of themselves away online to access digital services, they expect that their data is safe," he said.
"With the complexity of today’s attacks, one tactic alone is not enough."
The NSW government has been overhauling its cyber security after a 2018 state auditor- general's report found the government's ability to detect and respond to security incidents was lacking.
Speaking at a recent NSW parliamentary inquiry into cyber security, CEO of Cyber Security NSW Tony Chapman said the state government had begun taken important steps toward better information security.
"In February 2019, we implemented the NSW Cyber Security Policy and an Australian-leading set of cybersecurity standards," he told the inquiry.
"These standards take a risk-based approach to cybersecurity.
"For the first time in New South Wales, government agencies are now required to annually assess their cybersecurity maturity."