Toll Group attackers accessed personal and payroll data of staff

Toll Group has confirmed its latest encounter with ransomware enabled attackers to “access” personal and payroll details of current and former staff in several countries, though it says there’s “no evidence” the data was “taken”.

In an update the company said it had established that employee data held on servers compromised by the Nefilim attackers included “details such as name, residential address, age or birthdate, and payroll information (including salary, superannuation and tax file number).”

“The information relates to some current and former employees in certain countries in which Toll operates, including Australia and New Zealand,” the company said.

“The incident does not affect all Toll employees and, based on current findings, casual staff are not impacted.”

Toll Group said it had written to employees whose data was on the server to advise them “on how they can protect themselves”.

“As part of this, we have engaged the services of a leading provider of identity and cybersecurity solutions to ensure that impacted people are provided with the appropriate support and data protection measures,” the company said.

It did not indicate how many current and former staff are affected.

Toll Group was hit by a Nefilim ransomeware infection on May 4, which it detected as “unusual activity” on an undisclosed number of corporate servers.

It later said that the attackers downloaded some of the corporate data they came across during the attack.

Attackers claimed to have exfiltrated over 200GB of corporate files, which they started dumping onto the dark web last week after being unable to extract a ransom from Toll Group.

Toll Group said today that there is “no evidence at this stage that the [employee] information … has been taken.”

It is unclear, then, exactly what data the attackers say they have in their possession, though Toll Group has previously indicated the server also contained other information such as commercial agreements, which the company’s latest update doesn’t deal with.

Toll Group once again took aim at the attackers.

“Toll condemns in the strongest possible terms the actions of the cyber criminals,” it said.

“We apologise to our people for the concern and inconvenience this situation may be causing them.”

Earlier this year, Toll Group was hit with a different type of ransomware called Mailto which caused significant damage to IT systems and required a recovery period of about six weeks.

The company had initially indicated that it could recover more quickly from Nefilim, owing to the earlier experience rebuilding its IT environment.

However, it had still not recovered full functionality in its MyToll portal used by customers to book and track shipments at the time of publication.

/Public Release. This material from the originating organization/author(s) may be of a point-in-time nature, edited for clarity, style and length. The views and opinions expressed are those of the author(s).View in full here.