Five days into an outage, the maker of PayMyPark - a parking payment app used by Wellington, Hutt, Tauranga, Christchurch, Dunedin and other city councils - has admitted it was the victim of a ransomware attack.
• Toll admits some customers still suffering delays on day 18 of ransomware attack
• Air NZ service provider Travelex held to ransom by hackers demanding $8.5m
• Seven simple tips to keep hackers at bay
"We responded to this incident as soon as we were notified and commissioned a
thorough investigation which is being undertaken by the PwC Cyber Response Team," Arthur D Riley Ltd (ADR) said in a statement.
In follow-up comments, a spokeswoman said no ransom was paid. She did not say how much was demanded to free its data.
Like Toll and Air NZ partner Travelex before it, ADR chose to grind it out and rebuild its systems over several days.
It was only on day five that PayMyPark users received an explanatory email - and even then it neglected to mention the ransomware element of the attack.
PayMyPark went off-line on Saturday, and users have since been demanding answers from councils, who before this afternoon have been able to offer little information.
"As a result of this ongoing investigation, we believe we have identified how this attack
occurred and have taken steps to get PayMyPark back online," ADR said.
"We want to assure all our customers and users that we have not identified any breach
of private or personal information or data as a result of this ransomware attack.
"We can also confirm that PayMyPark does not hold any credit card or other personal
The company says its systems are now secure, and that its app will be back online as of 6am tomorrow.
ADR is also heavily involved in parking enforcement systems, and exports of data to collection agencies and courts. The spokeswoman said, "ADR took the parking enforcement systems down as a precaution, but no data or information has been compromised."
Wellington City Council alerted users via Twitter on Saturday that there were "server problems". There is still no estimated time for ADR to get the system back online.
A WCC spokesman told the Herald that council staff were meeting with ADR this afternoon. The council hoped to learn more at that meeting, however, it could offer no new information following the get-together.
Dunedin City Council has come the closest to providing an explanation, saying in response to a question on Facebook: "Someone attempted to breach our supplier's website. Due to the security systems in place, no personal information or credit card details were accessed. Cyber security specialists were called in and as a security measure, the site and app were taken offline. They are working to get the site and app back online as a high priority."
Many drivers were confused about whether they should pay for parking if they had money still in their PayMyPark account, but the system was still down.
Celeste Wansink asked Dunedin Council, "When I have money sitting in an account (PayMyPark) waiting to be used for parking, why should I pay at the meter?" (The council did not immediately reply).
Mike James vented: "Typical DCC [Dunedin City Council], no real back up plan."
Wellington City Council said people could still pay at meters using cards or cash.
"In the unlikely event you get a ticket, you can appeal your ticket once the system is back online," the council said on its Facebook page.
Robyn Gilchrist posted in response: "This has been playing up for days... In a cashless society you need a need a more reliable service."
A number wondered why Wellington had dumped its previous app, Phone2Park, which was shuttered on January 7 this year.
The office of the Privacy Commissioner said it had not been notified about any data breach involving PayMyPark.
What to do if you're hit by ransomware
New Zealand businesses or individuals hit by a cyber-attack are advised to contact Crown agency CERT (the Computer Emergency Response Team) as their first step.
CERT acts as a triage unit, pointing people to the right law enforcement agency or technical contacts.
CERT director Rob Pope and Police recommend not paying a ransom for data encrypted or stolen by hackers.
There is no guarantee it will be returned. And payment often means helping to fund organised crime groups that are also involved in areas like drugs and human trafficking.