Melbourne schoolboy Joshua Rogers claimed he has chanced upon a security flaw in the Web site of Public Transport Victoria (PTV), and now the government authority has reported him to the police.

The 16-year-old self-proclaimed white hat hacker stumbled upon the weakness while browsing the site. He discovered an extensive database for the old Metlink store that contains PTV users’ personal details, including their names, birth dates, email addresses, phone numbers, and partial credit card information.

“I was actually looking for the cost of Boxing Day tickets and Christmas Day tickets and found an error on the Web site,” Rogers told ABC News. “Just from basic instinct I knew what the error meant and how it could be leveraged for database access.”

The student added that that half of all Web sites are vulnerable to the same problem, which is caused by “lazy coding.”

“When companies take money from the development side and just pocket it themselves,” he explained. “They just don’t invest enough money in security. Absolutely easy to fix. But you just have to know what to do.”

He alerted PTV on Boxing Day, but he only received a response the following Monday upon inquiries by Fairfax Media, which only published the news after giving PTV time to secure its site.

PTV said in a statement that it has already fixed the problem, but also that it has referred the security breach to the police. It did not confirm whether it is going to sue Rogers for the unauthorised access of its network, only saying that the matter is already under investigation.

“PTV takes security breaches very seriously and has referred the matter to Victoria Police for investigation and to Privacy Victoria,” a spokesperson said. “PTV can confirm that this is the only known attack on its Web site.

“Customers can rest assure that the database is in no way linked to myki online accounts and no useable credit card details were stored in the database.”

According to cyber security expert Phil Kernick of CQR, Rogers technically had committed a crime because he accessed PTV’s Web site without authorisation. Such thing Is illegal under the cyber crime act. However, it wasn’t the teenager who had failed the public.

“[Rogers] wasn’t authorised by Public Transport Victoria to do this testing, but he didn’t make the data of all the users of PTV available, they did,” he told Fairfax.

“Everyone is being attacked all the time, so if your Web site is not going to survive tis level of attack you’re going to get owned.”