The university received a letter from the audit office last month stating the matter had been resolved,she added.
Thirty-five weaknesses posing a"moderate risk"were uncovered in the risk controls of the remaining universities.
Among them,28 were"repeat findings",where the university had not acted on a previous audit recommendation.
Problems included a lack of monitoring of user access,such as for terminated employees,and password settings that did not align with security policies.
The weaknesses presented"significant"vulnerabilities for the universities and could lead to financial or reputational losses,the Auditor-General warned.
"Poor IT controls increase the risk of inappropriate access,cyber security attacks,data manipulation and misuse of information and assets,"the audit said,adding that the need for"specialist skill"and"extensive testing"could make the problems slow to resolve.
Education Minister Dan Tehan said he would invite all university vice-chancellors to a briefing at the Australian Cyber Security Centre to ensure they were using the latest and most comprehensive cyber security.
“Universities have a responsibility to protect the information they hold about individuals and the research they are conducting,"Mr Tehan said.
In 2016,the University of Sydney was involved in a major privacy breach as it admitted to"losing"a notebook computer containing sensitive student information. A year earlier,the University of NSW's Facebook page was hacked twice in two days.
Loading
UNSW was alerted to three"moderate"IT control risks in the audit. A spokeswoman said it was working"closely and collaboratively"with the NSW Audit Office to address the risks.
Two low-level IT risks - both"repeat"findings - were identified at the University of Sydney.
It's understood they did not relate to personal data,and the university has changed or is in the process of changing its policies.
"[We] are acutely aware of the sector's vulnerability to cyber-attacks,"a spokeswoman said."In 2017 we began a program to significantly enhance our capabilities to match such threats ... to date,we have no evidence of any significant data breaches."
Seven universities reported data breaches,generally resulting from human error,system fault or malicious attack.
Three universities had not developed formal policies to manage data breaches and had not trained their staff in data protection.
Combined,the universities across NSW spent $24 million in managing cyber security in 2018.
Tom Uren,a senior analyst at the Australian Strategic Policy Institute's International Cyber Policy Centre said cyber security was generally"pretty poor"across a broad range of organisations where there were"other priorities and limited budgets".