Toll Group attackers accessed personal and payroll data of staff

Toll Group has confirmed its latest encounter with ransomware enabled attackers to “access” personal and payroll details of current and former staff in several countries, though it says there's “no evidence” the data was "taken”.

In an update late Thursday - its first in over a week - the company said it had established that employee data held on servers compromised by the Nefilim attackers included "details such as name, residential address, age or birthdate, and payroll information (including salary, superannuation and tax file number)."

“The information relates to some current and former employees in certain countries in which Toll operates, including Australia and New Zealand," the company said.

“The incident does not affect all Toll employees and, based on current findings, casual staff are not impacted.”

Toll Group said it had written to employees whose data was on the server to advise them “on how they can protect themselves”.

“As part of this, we have engaged the services of a leading provider of identity and cybersecurity solutions to ensure that impacted people are provided with the appropriate support and data protection measures,” the company said.

It did not indicate how many current and former staff are affected.

Toll Group was hit by a Nefilim ransomware infection on May 4, which it detected as “unusual activity” on an undisclosed number of corporate servers.

It later said that the attackers downloaded some of the corporate data they came across during the attack.

Attackers claimed to have exfiltrated over 200GB of corporate files, which they started dumping onto the dark web last week after being unable to extract a ransom from Toll Group.

Toll Group said today that there is “no evidence at this stage that the [employee] information ... has been taken.”

It is unclear, then, exactly what data the attackers say they have in their possession, though Toll Group has previously indicated the server also contained other information such as commercial agreements, which the company's latest update doesn't deal with.

Toll Group once again took aim at the attackers.

“Toll condemns in the strongest possible terms the actions of the cyber criminals,” it said.

“We apologise to our people for the concern and inconvenience this situation may be causing them.”

Earlier this year, Toll Group was hit with a different type of ransomware called Mailto which caused significant damage to IT systems and required a recovery period of about six weeks.

The company had initially indicated that it could recover more quickly from Nefilim, owing to the earlier experience rebuilding its IT environment.

However, it had still not recovered full functionality in its MyToll portal used by customers to book and track shipments at the time of publication.

And with most of May now gone, the restoration has unfortunately turned into a second prolonged and intensive exercise.

Update, 29/5 12pm: 

Toll Group said it is "making good progress with the restoration of our key online systems."

"MyToll customers can now access most features. Track and Trace is now available for a number of services including for our Priority customers, with historical data being progressively uploaded.

"In our Global Forwarding business, systems tests have been completed and we have restored CargoWise One access across Toll’s global network.

"We have started the process of re-establishing electronic data interchange connections with customers, on a phased basis.

"Most customer-facing applications for our contract logistics customers are up and running, as we finalise testing with our customers."