Toll attacker made off with past and present employee data and commercial agreements

Company says it will take a number of weeks to determine further details about the attack.
Written by Chris Duckett, Contributor

Australian transport giant Toll Group has revealed the extent of data theft it has suffered after its second bout of ransomware this year, following a January infection.

"Our ongoing investigations have established that the attacker has accessed at least one specific corporate server. This server contains information relating to some past and present Toll employees, and details of commercial agreements with some of our current and former enterprise customers," the company said on Tuesday.

"The server in question is not designed as a repository for customer operational data."

Toll said some of the accessed data was exfiltrated and that it is currently determining which data that was.

"The attacker is known to publish stolen data to the 'dark web'. This means that, to our knowledge, information is not readily accessible through conventional online platforms," Toll added.

"Toll is not aware at this time of any information from the server in question having been published."

The company said it has not paid the ransom and shut down its IT systems to prevent further infection. Last week, the company said it was a victim of Nefilim ransomware.

It would take a number of weeks to determine further details of the attack, the company said, and it has begun contacting impacted persons.

"This is a serious and regrettable situation and we apologise unreservedly to those affected," Toll Group managing director Thomas Knudsen said.

"I can assure our customers and employees that we're doing all we can to get to the bottom of the situation and put in place the actions to rectify it."

Knudsen added that cyber crime was "an existential threat for organisations of all sizes".

On Monday, the company said it has begun restoring and testing its customer-facing applications.

"While there are delays in some parts of the network, freight shipments and parcel deliveries are moving by and large as normal, with Toll call centres taking bookings over the phone," it said in a notice.

"We continue to prioritise the movement of essential items including medical and healthcare supplies. Email access has been restored for Toll employees who operate on our cloud-based platforms."

Last week, the company said it had begun the process of restoring from backups.

In January, Toll reverted to manual processes following a ransomware incident.

The company also shut down its systems as a precautionary measure at that time.

"We became aware of the issue on Friday 31 January and, as soon as it came to light, we moved quickly to disable the relevant systems and initiate a detailed investigation to understand the cause and put in place measures to deal with it," Toll said at the time.

In that instance, the ransomware it fell victim to was a variant of the Mailto ransomware, with the company calling in the Australian Cyber Security Centre.

"Our assistance has included providing technical experts to identify the nature and extent of the compromise, and provide Toll with tailored mitigation advice," director-general of ASD Rachel Noble said in March.

Related Coverage

Deliveries stranded across Australia as Toll confirms ransomware attack

The targeted attack has forced the company to disable its systems and revert to manual processes, causing delays across the country.

Toll Group shuts down IT systems in response to 'cybersecurity incident'

Customers are reporting that they've been told deliveries are suspended 'indefinitely'.

Shade (Troldesh) ransomware shuts down and releases decryption keys

The Shade ransomware gang have published more than 750,000 decryption keys on GitHub. Kaspersky is working on a decryption app.

Texas school district falls for email scam, hands over $2.3 million

There are "strong" leads but no real indication of who is responsible.

Editorial standards