Cybersecurity vulnerability revealed after NSW Government agency’s 49-day hack