Toll's stolen data finds itself on the 'dark web'

Follows the company in January revealing it would revert to manual processes following a ransomware incident.

Toll attacker made off with past and present employee data and commercial agreements
2:21

Toll Group has provided an update on the ransomware attack it suffered following a January infection.

The Australian transport giant said, after revealing the extent of data theft it suffered earlier this month, that the stolen information has found its way onto the "dark web".

"Following our announcement last week that a ransomware attacker had stolen data contained on at least one Toll corporate server, our ongoing investigation has established that the attacker has now published to the dark web some of the information that was stolen from that server," Toll wrote in an update.

Earlier this month, Toll said the attacker behind the theft was known to publish stolen data to the dark web.

"This means that, to our knowledge, information is not readily accessible through conventional online platforms," Toll said at the time.

The company said it was focused on assessing and verifying the specific nature of the stolen data that has been published.

"Our ongoing investigations have established that the attacker has accessed at least one specific corporate server. This server contains information relating to some past and present Toll employees, and details of commercial agreements with some of our current and former enterprise customers," the company said previously.

"The server in question is not designed as a repository for customer operational data."

The company said it has not paid the ransom and shut down its IT systems to prevent further infection. In April, the company said it was a victim of Nefilim ransomware.

It would take a number of weeks to determine further details of the attack, the company said, and it has begun contacting impacted persons.

In January, Toll reverted to manual processes following a ransomware incident.

The company also shut down its systems as a precautionary measure at that time.

"We became aware of the issue on Friday 31 January and, as soon as it came to light, we moved quickly to disable the relevant systems and initiate a detailed investigation to understand the cause and put in place measures to deal with it," Toll said at the time.

In that instance, the ransomware it fell victim to was a variant of the Mailto ransomware, with the company calling in the Australian Cyber Security Centre.

"Our assistance has included providing technical experts to identify the nature and extent of the compromise, and provide Toll with tailored mitigation advice," director-general of ASD Rachel Noble said in March.

HERE'S MORE