A crippling cyberattack that targeted TheBus and TheHandi-Van earlier this year wound up costing the city $100,000 or more in lost fare revenues, Honolulu officials indicate.
Nearly a half-year later, Oahu Transit Services Inc., the private company that manages the city’s bus and paratransit system, said it’s still working on implementing cybersecurity measures to protect its fleet as well as its ridership.
Over several days in mid-June, OTS said, thebus.org website, HEA (also known as Honolulu Estimated Arrival) and related GPS services were inoperable due to the cyberattack.
The city Department of Transportation Services said on June 18 that there was a “cyber breach” and that OTS was working with the “proper authorities to investigate and handle the situation.”
HOLO card readers on TheBus and TheHandi-Van were also affected.
However, Skyline rail operations were not affected by the breach, and, at the time, train riders were required to tap their HOLO cards at the fare gates, DTS said.
Initial and unconfirmed reports said the breach was the result of DragonForce ransomware — which extorts money from victims by first locking companies or agencies out of their own computer systems.
But during a June 18 news conference, Roger Morton, DTS director, told reporters OTS had not paid any ransom and that officials were unclear exactly what kind of cyberattack crippled the city systems.
Still, there was an indication from an “outside entity that it was a result of an outside actor that had entered the system,” he said at the time.
“OTS cybersecurity experts jumped in to try to remedy the situation, and very quickly the phone system, which had been down Saturday morning … was restored so that regular operations from the users continued with some minor Saturday interruptions. … By Saturday afternoon everything was running normally as far as regular operations,” said Morton, who added that the Honolulu Police Department, Federal Bureau of Investigation and other law enforcement agencies were informed of the cyberattack. “What still does not operate normally is connections which require an external connection to other systems.”
All in all, the impact of the cyberattack on the city’s transit system was apparent.
OTS President and General Manager Robert Yu told the City Council’s Public Infrastructure and Technology Committee last week that the cyberattack caused disruptions to the bus system and HOLO card services for about two weeks.
Since that time, Yu said, OTS has looked at adding new firewalls to prevent cyberattacks and implemented additional “cyber monitoring security features.”
The breach also resulted in “training our employees on the importance of looking” at emails and “making sure it’s the proper email that you recognize the sender,” he said Thursday at the meeting.
OTS is considering the use of a product that will recognize “a first-time email sender to our network,” he said.
“And the software will send a message to the first-time sender asking for verification before the email could come through our system,” Yu told the committee. “And we think that’s one of the better security features that we want to look at.”
OTS is looking at “multifactor authentication,” too, he said.
“That’s one of the things that we’ve been rolling out,” he added. “It’s going to the office staff; any employees working remotely need to have (an) MFA.”
Yu said that type of authentication system would be needed for OTS to potentially buy “cyber insurance.”
At the meeting, Andria Tupola, committee chair, asked how much revenue the city lost during the two-week period in June.
“About $100,000,” Yu replied.
“And with this possible insurance you’re going to get, in the event that happens again, would they cover the loss?” she asked.
“It all depends on what the exceptions are,” Yu said.
Tupola then asked whether OTS had purchased insurance.
“As soon as we get our MFA up, then we will look into it,” Yu replied.
Tupola also queried whether the cyberattack came through an email.
Without sharing many details, Yu asserted one email came through an OTS email server, while another server was affected in a similar way.
Although Yu pegged the loss of transit revenue at $100,000, Kaneohe resident Donald Sakamoto told the committee it was much more.
Sakamoto cited DTS Director Morton recently informing the Honolulu Rate Commission that the city lost approximately $300,000 in fare revenue due to the cyberattack.
“I’m kind of worried that that much money was lost in that two-week time,” Sakamoto added.
After the meeting, OTS told the Honolulu Star-Advertiser there was only one cyber breach at its facility.
“We estimated revenue lost at around $100,000 using data provided by the Department of Transportation Services’ HOLO card contractor, Ulu HI-Tech,” an OTS spokesperson said.
There have been no cyber breaches on OTS since the June incident, the spokesperson said. And they confirmed that “no ransom was ever paid” over the breach at OTS either.
Meantime, high-tech data systems operate most of Honolulu’s transit operations, according to Morton.
“Just from DTS’ perspective, we have a number of data systems that we operate or have operated for us,” he told the committee. “First and foremost, we have our OTS system, which they operate themselves.”
OTS is not part of the city system, he added.
“They have their own IT department; they have cyber professionals within that group,” Morton said.
He stressed that much of the city’s transit system is largely protected from cyberattacks.
He also said Skyline’s Hitachi Rail system “is a very comprehensive data rail system that keeps our trains running without an operator.”
“We operate all of our parking meters with an outside vendor; those are all connected through data systems,” he said. “We have our very sophisticated traffic signal control system, which goes around the island and controls all the traffic signals.”
Morton said the traffic signal system is “not connected to any other system; it’s not part of the internet or anything like that.”
Honolulu’s online outage in June recalls a prior, suspected hack into TheBus’ online system about three years before.
On Dec. 9, 2021, an alleged cyberattack targeting OTS disabled the online servers to both administrative and operating access for TheBus and TheHandi-Van, according to DTS.
While most resources related to operations of TheBus and TheHandi-Van were restored in that incident, email servers were shut down.
In what was later investigated as a ransomware attack, Honolulu city officials collaborated with transit agencies in other U.S. cities targeted by hackers affiliated with Russia.
The FBI, HPD and U.S. Secret Service also looked into the prior incident.
Star-Advertiser staff writer Peter Boylan contributed to this report.
