Murray Irrigation said data held in a geospatial information system was accidentally exposed, making it publicly accessible.
The company, which operates under license from the NSW government, revealed the data breach on December 19, but it was only picked up by rural publication Southern Riverina News overnight.
The company said 10 types of data on landholders stored in its ArcGIS Online platform “was unintentionally made publicly available.”
The exposed data included personal information, water account balances, landholding data and “customer flags”.
Not all customers of the organisation were affected, the company said, although it did not quantify this statement further.
The company said it had locked the system down as part of its containment actions and that the information was no longer exposed.
It also pledged “a full external investigation to ensure Murray Irrigation does everything within its power to contain the incident and prevent this from occurring again.”