No. This is simply wrong. If "Metlink were simply following their IRP" then they would have started investigating and taking action last month when their gaping security violation was first reported. Instead they did nothing until exposure of their incompetence was threatened by mainstream media.
It all depends on the IRP, most Australian transport organisations do not have a incident response plan for this report from a member of the public (I.T. or otherwise), but they do have them for various PR issues such as public disclosure of security issue (I.T. or otherwise). I'm not saying it's right I'm just explaining how it occurs, and given the public profile of the incident, I'm not sure I'd want to be the one deviating from the established IRP even if it wasn't written with this in mind.
The system is run externally by the warehouse and separately to the ATO," a spokesperson told SC....It is unable to access taxpayer information or their details. There are no financial or bank account details stored on POS.
A case of not reading the article, it's blatant FUD.