Toll customer data stolen in its second cyber attack of 2020

Logistics provider Toll has suffered its second cyber attack of the year, and shut down its MyToll service last week after detecting suspicious activity in its IT systems.

Upon inspection the transport company confirmed that a corporate server with employee and commercially sensitive information relating to clients was accessed and data was stolen.

The activity was a cyber attack involving the ransomware Nefilim, and caused Toll to shut down its IT systems to mitigate the risk of further damages.

The stolen data may now be published on the ‘dark web’ in line with what is known about the attacker’s previous behaviour, which Toll believes means the data is not readily available on conventional online platforms. 

Toll Group managing director Thomas Knudsen said the attack was unscrupulous, and that the business is working with the Australian Cyber Security Centre and the Australian Federal Police.

“We condemn in the strongest possible terms the actions of the perpetrators,” Knudsen said. 

“This is a serious and regrettable situation and we apologise unreservedly to those affected. I can assure our customers and employees we’re doing all that we can to get to the bottom of the situation and put in place the actions to rectify it.”

However, the full damage is likely to be unknown for several weeks as the business continues to confirm what was accessed. 

The ransomware, Nefilim, was first seen in March 2020 according to information security experts Sentinel Labs, and attacks information systems through remote desktop protocols.

“Once the attackers have compromised the environment via [remote desktop protocols], they then proceed to establish persistence, to locate and exfiltrate additional credentials where possible, and then to deliver the ransomware payloads to their intended targets,” wrote SentinelLabs. 

And the software uses a name and shame strategy of ransom, threatening to publish sensitive information acquired during the attack should the victim refuse to cooperate. 

Toll confirmed it had refused from the outset to engage with the hacker’s ransom demands, consistent with the advice of cyber security experts and government authorities. 

The incident follows an initial attack in February which saw Toll shut many of its core services down, impacting clients and customers alike. It isn’t clear at this time if the two attacks are connected.

Inside Retail has reached out to Toll Group for additional information, but hadn’t received a response by the time of publication. 

You have 7 articles remaining. Unlock 15 free articles a month, it’s free.