The hackers also accessed the Strætó bookkeeping system and an online system that holds, among other things, recordings of phone conversations in the 90 days leading up to the attack.
The hackers accessed the Strætó human resources system, which holds contact details and employment contracts for current and former staff. They also gained access to customer complaints, comments and queries, as well as details of all visitors to the Strætó head office.
A press release from the bus company emphasises that there is no indication that the hackers have, or will be able to, abuse the information in any way. It is nevertheless impossible to guarantee that the information has not been copied and will never be released.
Strætó asked the online security company Syndis to investigate the very widespread leak. Jóhannes Svavar Rúnarsson, managing director of Strætó, confirmed that the hackers stole 400 gigabytes of data that includes personal data but not customer payment card details.