AT cyber attacks pose no risk for development of NZ-wide ticketing system - authorities

Cyber attacks on Auckland Transport have not given authorities cause for pause over the security of the much larger, incoming high-tech nationwide ticketing system.

This is despite the problem of getting enough "security resources" on the national ticketing project being listed as a key risk in June and July.

The project's security milestones were reporting "red", the worst category, in April, according to newly-released project updates.

In Auckland last month, a ransomware attack followed by "denial of service" attacks - sending so much traffic to AT's website it was overwhelmed - hobbled HOP card and ticket services.

"We are confident no customer or financial data has been compromised,"

AT said.

AT is the most important out of the dozen or so city and regional public transport systems signed up to the $1.4 billion National Ticketing Solution (NTS) being built by a US transport-and-military contractor, Cubic.

It is not just personal identifying information that is valuable, but travel history data, too, which the NTS and Cubic are promising to guard closely.

The Auckland cyber attacks were completely unrelated to the national project work, and had no implications for its cost or timeframe, said AT's NTS programme director Marlene Kotze.

"We don't believe the attack ... poses any risk for [the] broader NTS programme."

Waka Kotahi agreed: "As the NTS systems are not related to or directly connected with the AT environment, there is no impact at all on NTS from the AT hack," it said.

Kotze told RNZ in a statement that AT was reviewing the attacks and would share any insights with Waka Kotahi.

Shifting the entire country to a national system for smartphone-approved travel on bus, train and ferry tickets - aimed for by 2026 - reduces the risk of any one local system being hacked, but escalates the consequences if the national system itself falls prey to cyber criminals.

Among the nine project updates and briefings released to RNZ under the OIA, those in June and July both stated: "Resourcing remains an ongoing challenge, particularly for security resources."

Security had loomed large at the project's governance board meeting in April.

"The board queried the at-risk security and commercial milestones," the board paper said.

"Work continues to address resourcing challenges. While the milestone is reporting red, it is not on critical path, the task is delayed. The programme team are working closely with the Waka Kotahi security group to mitigate the risk.

"A security working group is being established" with members from across the councils.

"A draft security strategy is under review and the team are currently working to finalise document ... The board asked to be updated on the security risk as it progresses."

Cyber attacks are just one threat to users' personal and travel data: The papers show the NTS project was directed to put more "guard-rails" into the privacy impact assessment around who could access the data.

New Zealand is a guinea pig for Cubic.

The US firm has done city- and state-wide ticket systems, such as in Queensland, but this is its first whole-country rollout.

The updates betray nerves about its efforts.

"Cubic are aware of our concern," the June update said.

"Based on the feedback provided both by us as well as Queensland, Cubic are strengthening their delivery capability in the region" with a new regional leader.

Cubic turned up at the meeting in June, stating, "quality and delivery reputation are important to Cubic" and giving the assurance "Cubic will not go live without a ready and fit-for-purpose solution".

It was not enough - July's update said: "Our overall confidence level with the plan remains at [REDACTED] which will improve once we have finalised the dependencies and risks, as well as when the detailed design is locked-down."

Elsewhere it was stated: "The board expressed concern around timelines and asked how realistic the schedule is."

Time and again the briefings show up the stress of getting enough people doing the right things, on time and within budget.

The board wanted standard tech, "no customisations unless critical".

"Key for a successful delivery is the need to make decisions fast," it said in June, before going on to list the drag from slow work on delegating, branding and forming groups.

In May, both the budget and timing of the whole project was rated amber (red is worst, green is best), though, perhaps remarkably, the update said: "Based on current model we anticipate an underspend."

Another key risk listed was "effective Māori engagement".

Waka Kotahi had Cubic all signed up last October, well before it engaged substantively with Māori.

In February, an update said: "Māori engagement discussion: this is becoming an activity on the critical path. We need to ... get this moving with urgency."

In March: "Talk to Māori and iwi interest groups on substantive matters rather than just brand ... It should focus on support and priorities for achieving iwi/Māori priorities."

In April: "The board queried the Māori engagement risk reporting 'green' when discussions to date have indicated this topic is 'red' status."

In May: "A guideline around Māori data is required" and "the board asked that the team consider data sovereignty issues".

The papers show optics are important, especially for councils with tight budgets which have to bear the costs of shifting their existing ticket systems over to the NTS.

"A challenge we face is there is a current focus on the overall $1.4b cost; need to shift focus to the $25-30m a year operating cost so people can understand the value for money," a March board paper said.

"We need to review our messaging and core narrative to support the value for money position.

"This is critical for both public and political acceptance."

The $1.4b is the capital and operating cost through to 2036, peaking at an estimated $240m next year. If the NTS were not done, the current systems would still cost a billion dollars to upgrade and run, business cases showed.

The first trial rollout of the NTS is set next year for Canterbury, as "the test case for the country".

Waka Kotahi told RNZ on Friday, "NTS security resources ... are no longer a key risk for the programme. Any comment with regards to public transport authority [council] security resources needs to be directed to them."