Cyber Incident Victim: Oahu Transit Services Inc.
Date:
Jun 2024
Location:
United States of America
Summary
A cyberattack disrupted Oahu Transit Services' online systems, including real-time GPS tracking, website functionality, and Holo card payment readers, though physical bus and paratransit operations continued with call centers remaining accessible. The incident marked the contractor's second breach in three years, with no ransom paid and the attack's specific nature remaining undetermined despite indications of external actor involvement. Federal and local authorities, including the FBI, collaborated in the response while the contractor's cybersecurity team worked to restore services cautiously. The city's separate IT infrastructure was unaffected due to network segregation, with officials highlighting existing defenses like zero-trust policies and frequent backups to mitigate such threats. Previous breaches involved phishing incidents and a 2021 attack suspected of Russian ties.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 15, 2024, Oahu Transit Services Inc. (OTS), the private contractor managing Honolulu’s bus and paratransit systems, experienced a cyberattack that disrupted critical online services. Thebus.org website, Honolulu Estimated Arrival (HEA) real-time tracking, GPS services for TheBus and TheHandi-Van, and Holo card payment readers became inoperable shortly after the breach was detected. Initial system failures occurred Saturday morning, prompting OTS cybersecurity teams to intervene. By Saturday afternoon, phone systems and basic transit operations were restored, allowing TheBus and TheHandi-Van to continue transporting passengers with minor interruptions. Call centers remained open for rider inquiries and Handi-Van reservations, though digital services like real-time tracking and online payments remained offline through at least Tuesday, June 18. Skyline rail operations, which use separate infrastructure, were unaffected, and riders could still tap Holo cards at fare gates. OTS Director Roger Morton confirmed no ransom had been paid and stated the exact nature of the attack remained unclear, though an “outside entity” indicated an external actor infiltrated the systems. The Honolulu Police Department, FBI, and other law enforcement agencies were notified, with the FBI acknowledging collaboration with local partners but declining to confirm an active investigation.
This marked the second cyberattack against OTS in three years, following a December 2021 incident where Russian-affiliated hackers disrupted TheBus app, Holo card systems, and online services. While city IT systems—separate from OTS networks—remained uncompromised during both attacks, the 2021 breach led OTS to consult with transit agencies in San Francisco, New York, Santa Clara, Dallas, and Ann Arbor for recovery insights. OTS maintained monthly federal cybersecurity vulnerability assessments and had scheduled a firewall update for June 17, which was delayed due to the breach. City officials emphasized their “zero trust” security architecture, frequent backups, encrypted storage, and phishing defenses—including blocking external email providers since a 2016 employee phishing incident—prevented operational disruptions to municipal systems. Daily phishing attempts exceeding one million monthly attacks targeted city infrastructure, including a recent bot assault on an election website. Despite these threats, no city ransomware payments or prolonged outages occurred since 2013, contrasting with OTS’s recurring breaches affecting customer-facing transit technologies.