Snapper takes ‘preventative measures’ after cyber-attack
Transport card operator Snapper has taken some of its services offline following what it described as an ‘‘unsuccessful’’ cyberattack on the business.
The company, which runs the payments cards used on Wellington buses, said the attack occurred in April and independent auditors were confident it had not resulted in the loss of any customer information.
But it said it had taken down the accounts section of its website as ‘‘a preventative measure’’ following an investigation while it hardened its security.
Snapper chief executive Miki Szikszai said a ‘‘web shell’’ was installed on one of its computer servers in an attempt to gain access to Snapper accounts.
Web shell attacks involve hackers taking advantage of vulnerabilities in organisations’ online infrastructure to install malicious code that they will usually later instruct to steal information.
Microsoft warned in February that such attacks were becoming more common and were popular with hackers as, once installed, web shells could create a permanent ‘‘backdoor’’ that was hard to detect.
Szikszai said Snapper became aware of the malicious software in late April during a security check. ‘‘We were unsure if it had been exploited, so engaged a company to undertake comprehensive forensic testing of the Snapper website.’’
Snapper had wanted to ‘‘gather all the facts before communicating with our customers so we could say with certainty that their information was not accessed’’.
Szikszai said there had been no communication from the hackers and it did not know who they might be or where they might be based.
The removal of Snapper’s accounts section means customers can’t check their transaction history and balances on the website. Szikszai recommended people instead download its Android or iphone app to do that. It has also created workarounds using online forms for people to register new Snapper cards, or to block them if they have lost them. Customers could continue to use their cards as normal to pay for journeys, Szikszai said.