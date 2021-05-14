Snapper says independent auditors are confident information was not compromised after an attack in April.

Transport card operator Snapper has taken some of its services offline following what it described as an “unsuccessful” cyber-attack on the business.

The company, which runs the payments cards used on Wellington buses, said the attack occurred in April and independent auditors were confident it had not resulted in the loss of any customer information.

But it said it had taken down the accounts section of its website as “a preventative measure” following an investigation while it hardened its security.

Snapper chief executive Miki Szikszai said a “web shell” was installed on one of its computer servers to attempt to gain access to Snapper accounts.

READ MORE:

* Pipeline attack will be 'turning point' for countries including NZ, expert believes

* Wellington commuters will be able to use Snapper cards on some trains from October

* Security advice for New Zealand's small and medium enterprises



Web shell attacks involve hackers taking advantage of vulnerabilities in organisations’ online infrastructure to install malicious code that they will usually later instruct to steal information.

Microsoft warned in February that such attacks were becoming more common and were popular with hackers as, once installed, web shells could create a permanent ‘backdoor’ that was hard to detect.

Szikszai said Snapper became aware of the malicious software in late April during a security check.

“We were unsure if it had been exploited so engaged a company to undertake comprehensive forensic testing of the Snapper website.”

Snapper had wanted to “gather all the facts before communicating with our customers so we could say with certainty that their information was not accessed”, he said.

Szikszai said there had been no communication from the hackers and it did not know who they might be or where they might be based.

A cyber-attack on a US fuel pipeline is impacting fuel supplies in many of its of eastern states.

The removal of Snapper’s accounts section means customers can’t check their transaction history and balances on Snapper’s website.

Szikszai recommended people instead download its Android or iPhone app to do that if they can.

It has also created workarounds using online forms for people to register new Snapper cards, or to block them if they have lost them.

Customers could continue to use their cards as normal to pay for journeys, Szikszai said.

But the company said in a statement that the investigation following the attack showed it needed to update its technology platform “so we can be certain of our defences against future attacks”.

Rebuilding its accounts section on new technology meant it would be able to deliver new features, faster, in future, it said.

“We will release account features as soon as they become ready, and it is our goal to begin rolling them out by August,” it said.