In a statement, NOVA chief executive Cathy O'Connor said the information that had been publicly disclosed was a "legacy dataset" which included information collected from listeners between May 2009 and October 2011.
The information included name, gender and date of birth, residential address, email address, and telephone number and usernames and passwords, which were protected by "hashing".
The company has radio stations in Sydney, Melbourne, Adelaide, Perth and Brisbane.
According to its website, the OAIC is closed between 25 December and 2 January, 2019.
Breaches of the law will attract fines of up to $360,000 for individuals and $1.8 million for organisations. Insufficient care of the data in question, if proved, could attract further fines. Only organisations with revenue of more than $3 million are covered.
O'Connor said NOVA had hired IDCARE, the national identity and cyber support service in Australia and New Zealand, to assist and support anyone affected by the leak.
The last OAIC quarterly breach report, for the period July-September, said the organisation had been informed of 245 data breaches, 57% being due to malicious or criminal attack and 37% being due to human error.