Toll unsure if it lawyered up to avoid ASD assistance following ransomware attack

Logistics company said it might have been the company that was flouting assistance from the ASD, even though ASD Director-General in March last year said her organisation had been working with Toll.
Written by Asha Barbaschow, Contributor

Australian logistics giant Toll is not sure whether it was the company that avoided assistance from the government when it was struck by ransomware.

Last year, Toll found itself victim to ransomware on two occasions.

See also: Ransomware: These are the two most common ways hackers get inside your network

Appearing before the Parliamentary Joint Committee on Intelligence and Security (PJCIS) as part of its review of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 last month, Toll global head of information security Berin Lautenbach said his organisation had help from the Australian Signals Directorate (ASD), which included having software installed on its systems.

During the hearing, Lautenbach, as well as the other organisations testifying before the PJCIS, was asked if it was his company ASD Director-General Rachel Noble was referring to when she revealed a company had declined to talk to the agency about an incident it had experienced.

At the time, Lautenbach said "certainly not".

In a submission [PDF] made available on Monday, Toll has revised the testimony.

"We are very grateful for the Australian Signals Directorate's (ASD) support during the two cyber attacks Toll experienced in 2020. Toll is not in a position to know which company Ms Noble is referring, and while indeed it may be Toll, we note that the ASD has never raised any formal concerns with our response to date," the company wrote.

"Following further internal discussions, we continue to be of the opinion that Toll acted transparently and cooperatively with the ASD.

"However, we recognise that we may not have responded at the pace the ASD may have expected due to the crisis we were experiencing."

Noble had told the PJCIS in June that the ASD found out about the attack at a well-known company after reading about it in the media.

"Then we tried to reach out to the company to clarify if the media reports were true, and they didn't want to talk to us. We kept pushing … at times, we have spent nearly a week negotiating with lawyers about us even being able to obtain just the basic information," she said.

"Asking, 'Can we please just have some data from your network; we might be able to help by telling you quickly who it is, what they're doing and what they might do next?'"

Noble said five days later, the ASD was still getting "very sluggish engagement".

"On day 14, we were only able to provide them with generic protection advice, and their network was still down. Three months later they got reinfected and we started again," she said.

Toll's first attack happened in January, with the company reporting the second incident in late May.

Noble in March last year told the Foreign Affairs, Defence and Trade Legislation Committee as part of Senate Estimates that the ASD and its Australian Cyber Security Centre (ACSC) had been working with Toll.

"Throughout February this year, the ACSC has worked closely with Toll Group, at their behest, in relation to their recent ransomware incident," she said in a statement entered straight into Hansard. "Our assistance has included providing technical experts to identify the nature and extent of the compromise, and provide Toll with tailored mitigation advice."

Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia


Editorial standards