A dark web ransomware site is claiming to have data stolen from Auckland Transport, a cyber threat analyst says.
The transport agency was the victim of a cyber attack last week, which brought down the city's ticket payment system.
AT said no customer data has been compromised in the attack.
It said the HOP system would be fully restored by end of day on Tuesday.
Cyber threat analyst Brett Callow said hacker group Medusa was claiming to have stolen data.
The hackers were yet to post any evidence of the stolen data, and Callow said the group could be bluffing to try get more money out of the company.
"As far as I'm aware, they have never listed an organisation on their website unless they have stolen data," he said.
"There is a first time for anything, these people are criminals, they don't necessarily tell the truth.
"They could be bluffing in the hope of being able to squeeze some money out of AT using data they don't actually have as leverage."
Auckland Transport said it had no interest in negotiating with hackers allegedly holding its data for ransom.
Chief executive Dean Kimpton said the attackers had given them a seven-day deadline to pay up, or have their data published.
"I think these malicious ransomware actors actually use the bluff act as a key part of their strategy," he said.
"The question is 'Will we blink?', and we've been quite clear from the get-go that our policy is not to pay out on ransomware requests."
Kimpton said AT's data was still secure.
"We're satisfied, to the extent you can absolutely sure, that our information is protected."
Kimpton said AT had invested what they otherwise might have paid in ransom to ensure that their systems were safe.