Cyber Incident Victim: Auckland Transport

On or around September 12, 2023, Auckland Transport was the victim of a significant cyber incident that targeted its HOP card payment network. The attack was first discovered in the early hours of Wednesday morning, and by Thursday, September 14th, the impact on services was publicly reported. The chief executive of Auckland Transport, Dean Kimpton, confirmed the event was a ransomware attack attributed to a group known as Medusa. This criminal entity successfully infiltrated a specific part of Auckland Transport's transaction database related to the HOP card system. The primary objective of the attack appeared to be extortion, as the ransomware actors made contact with Auckland Transport, demanding payment and threatening to release customer information. However, the organization maintained a firm policy of not responding to such malicious and illegal ransomware attempts, a stance consistent with protocols throughout New Zealand.

The immediate effect of the cyber intrusion was the widespread disruption of numerous critical services within the Auckland Transport HOP network. Online top-ups for HOP cards, which are conducted through the MyAT HOP portal on the organization's website, became completely unavailable. Furthermore, the ability to use Eftpos or credit cards for transactions was knocked out. This outage extended to physical infrastructure as well; ticket and top-up machines located at transport hubs were impacted. While some of these machines continued to operate, they were only able to accept cash payments, and a number of them were rendered entirely inoperative. Auckland Transport customer service centers also experienced severely limited functionality, with most only able to process cash transactions due to the system-wide failure. Retail partners that typically offer HOP card top-up services were similarly affected and unable to process any card-related transactions or load concessions for customers.

Despite the severe disruption to its payment processing systems, Auckland Transport took swift action to ensure that public transport services could continue operating for commuters. The organization communicated with all its public transport operators, instructing them to allow all passengers to board buses, trains, and ferries even if they were unable to top up or use their HOP cards. This measure was crucial in maintaining the city's public transportation network during the crisis. A key reason this was possible lay in the design and isolation of the onboard systems. The terminals on buses, ferries, and trains used for tagging on and off were described as having a seven-day memory capacity and were isolated from the main network that was compromised. This isolation meant that the live tagging data was stored locally on these devices and was not accessible to the ransomware actors, allowing commuters to continue tagging on and off as normal without immediate risk to that specific stream of data.

From a technical perspective, the attack was successfully contained and isolated to a single segment of the organization's database. Auckland Transport’s cybersecurity protocols were activated immediately upon discovery of the breach. The compromised section of the transaction database was taken entirely offline to prevent the threat from spreading to other systems. This containment strategy was a critical step in mitigating further damage. The organization then began the process of rebuilding the affected database component from scratch, a task that was anticipated to take until the early part of the following week to complete fully. Throughout this process, Auckland Transport emphasized that it was working with cybersecurity experts to conduct a thorough, top-to-bottom review of its systems to understand the breach and reinforce its defenses.

A paramount concern during any data breach is the security of customer information, and Auckland Transport provided specific reassurances on this matter. Chief executive Dean Kimpton stated unequivocally that no personal, private, or financial data was believed to have been compromised in the incident. He clarified that the breached transaction database contained only information related to HOP card transactions and did not house sensitive customer details, banking information, or other private data. The ransomware group's threat to release customer information was assessed as a bluff, as they did not actually have access to that category of data. This assessment provided a significant measure of relief to commuters concerned about the privacy of their personal and financial details. The only customer data at potential risk was the transaction information stored on the isolated onboard terminals if the outage were to extend beyond their seven-day memory capacity, but the anticipated resolution timeline was within that window.

The incident also highlighted the persistent threat landscape faced by critical infrastructure organizations. Dean Kimpton revealed that Auckland Transport's systems were subject to several attempted breaches every single week. He noted that this particular ransomware attack was the first successful intrusion the organization had experienced in a decade, indicating that their defenses had generally been robust and effective over a long period. Despite this breach, Kimpton expressed initial satisfaction that the organization's cybersecurity measures were up to date prior to the attack. However, the event prompted an extensive reinvestigation and strengthening of all systems. Furthermore, Kimpton took the opportunity to clarify that a separate issue which affected live timetable boards the previous month was entirely unrelated to this cybersecurity incident, dispelling any potential connection between the two events.

The operational impact of the attack was detailed in a list of all affected services, providing clarity for commuters navigating the disrupted system. The unavailability of online top-ups and Eftpos/credit card transactions was the most widespread issue. For customers who had set up automatic top-ups on their HOP cards, the service continued to function, but there was a noted delay in the processing of those payments due to the offline systems. The cash-only operation at physical machines and customer service centers created inconvenience but ensured a minimal level of service could continue. The complete inability of third-party retailers to perform any HOP-related services further extended the ripple effects of the attack into the broader community. The response and recovery efforts were entirely focused on restoring these services by rebuilding the compromised database infrastructure while maintaining the continuity of public transport operations through adapted procedures and the inherent resilience of the isolated onboard terminal network.