A Melbourne schoolboy who exposed serious cybersecurity weaknesses within Public Transport Victoria's systems by hacking its website to unearth a large store of personal data could be charged under the cybercrime act.

Joshua Rogers, 16, discovered an extensive database containing the personal details of public transport users in Victoria, using what cybersecurity experts described as a common hacking technique.

Joshua Rogers contacted PTV about the vulnerability on December 26. Credit:Simon Schluter

A self-described ‘‘security researcher’’, he contacted PTV on Boxing Day to alert them to the site’s vulnerability, but got no response until Monday, following inquiries by Fairfax Media.

The database contained a large amount of personal data including full names, addresses, home and mobile phone numbers, email addresses, dates of birth, seniors card ID numbers, and partial credit card numbers of customers of the Metlink public transport online store. The store was closed down in 2012 when PTV began.