14 Sep 2023

Suspected cyberattack crashes Auckland Transport card network

7:24 pm on 14 September 2023
Auckland commuters 25 and over return to full-price public transport fares.

HOP cards have been affected by what Auckland Transport says is a cyberattack. Photo: RNZ / Ziming Li

Cyber criminals have targeted Auckland Transport's HOP system, knocking out a number of services on Thursday.

Online top-ups and transactions using Eftpos and credit cards were unavailable, but Auckland Transport (AT) said customers could still catch buses, trains and ferries while the issue was being resolved.

Some ticket and top-up machines may also not be working.

AT said it had spoken to all its public transport operators and asked them to ensure their staff are letting commuters onboard, even if they were unable to top up and use their AT HOP card.

It said cyber security was something it took extremely seriously, and it had activated its security protocols.

It was working to resolve the issue as quickly as possible, but AT anticipated it may take until early next week to fully restore services.

No private or banking details breached - AT

AT chief executive Dean Kimpton confirmed it was a ransomware attack, called Medusa, and reassured commuters that no personal or financial data was believed to have been compromised in the incident.

"They've got into our transaction database. All that is is that information from your HOP card, it's in that transaction database. No customer information, banking or private details that we know of, ... has been breached nor any other systems."

The attack was isolated to one part of the database, which had been taken offline, Kimpton told Checkpoint. AT expected to have it rebuilt and be back in operation by next week.

"The only live parts of the system is the terminals on buses, ferries and trains - where you tag on, tag off - and they've got a seven-day mutiny on them and they're isolated so they're not downloading to anything.

"That's why we're encouraging everybody to tag on and off as normal, because that's where the data is stored.

"If this goes longer then seven days, then on the eighth day it won't be holding that information, but up til then, we've got a system with a memory and it's isolated, so there's no way to get to it if you're a ransomware actor."

The attack was first discovered in the early hours of Wednesday morning.

Kimpton said the ransomware attackers had asked AT to contact them, threatening to release customer information, but the attackers did not have access to that information.

"Our policy here, and it's consistent throughout New Zealand, is that we don't respond to malicious, illegal, ransomware attacks."

He did not know if the attack originated offshore or from within New Zealand.

"We don't know who they are and to be fair I'm not particularly interested."

There were several attempts to breach AT's systems every week, but this was the first in 10 years that appeared to have got through, Kimpton said.

However, he said he was satisfied that cybersecurity in the system was up to date.

"I can tell you we're going back through everything, top to bottom, we have cybersecurity expert advice on our team and we are being extremely thorough."

Kimpton also clarified the issue with the live timetable boards last month was unrelated and separate.

All affected services:

  • Online top-ups, as well as other AT HOP services using MyAT HOP on their website, are currently unavailable.
  • Existing auto top-ups will still work, but there will be a delay in the payment being processed.
  • Ticket and top-up machines are only accepting cash payments. Transactions using Eftpos/credit cards are unavailable. Some machines may not be working.
  • AT customer service centres will have limited functionality and may only be able to accept cash payments.
  • AT HOP retailers are unable to top up HOP cards or process other AT HOP services like loading concessions.