Cyber Incident Victim: Auckland Transport
Date:
Sep 2023
Location:
New Zealand
Summary
Auckland Transport experienced multiple cyberattacks, including a ransomware incident targeting its HOP Card system that disrupted top-up services and a subsequent denial-of-service attack overwhelming its website with malicious traffic. The Medusa group demanded $1 million to prevent the release of customer financial data, but the agency dismissed the threat, asserting no data compromise occurred. While digital platforms faced intermittent disruptions, core HOP functionalities like card tagging and physical top-up options remained operational. The agency attributed both incidents to coordinated malicious activity and refused to engage with the perpetrators, acknowledging ongoing efforts to mitigate disruptions while apologizing for customer inconvenience.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Auckland Transport experienced two related cyber incidents in September 2023. The first attack occurred in mid-September, targeting the agency's HOP Card electronic ticketing system. This incident disrupted top-up services and other HOP card functionalities, taking critical payment systems offline. A ransomware group named Medusa subsequently demanded a $1 million payment from Auckland Transport, setting a deadline of 8pm on September 26 for compliance. The attackers threatened to release customers' financial data if their demands weren't met. Auckland Transport dismissed the extortion attempt, maintaining confidence that no customer data had been compromised during this initial breach. Services gradually resumed following this incident, though full restoration took approximately two weeks.
On September 29, Auckland Transport suffered a second cyberattack believed connected to the earlier ransomware incident. This new attack manifested as a suspected denial-of-service (DoS) incident targeting the agency's digital platforms. The DoS attack overwhelmed AT's website with malicious traffic floods, causing significant disruptions to online systems and public access channels. Auckland Transport confirmed this was a deliberate attempt to disrupt their operations rather than a new data breach. While website functionality remained intermittent, core HOP Card services including physical tag-on/tag-off capabilities and ticket machine top-ups continued operating normally. AT officials stated they were actively working to maintain system security and restore full website access, but warned customers to anticipate ongoing disruptions for an unspecified period. The transport agency reiterated its refusal to negotiate with or pay the attackers, characterizing both incidents as illegal malicious activities targeting public infrastructure.