Toll Group says that data was stolen during its second ransomware attack of the year - reversing its story from a week ago.

In a statement released overnight, the transport and logistics giant said hackers accessed a server containing information "relating to some past and present Toll employees, and details of commercial agreements with some of our current and former enterprise customers."

Ransomware: How Toll got hit for a second time within months
Juha Saarinen: Don't keep quiet about ransomware attacks
Kiwis lose $1m to sim card scam

It added: "We have determined that the attacker has downloaded some data stored on the corporate server, and we are in the process of identifying the specific nature of that information. The attacker is known to publish stolen data to the 'dark web'."


Toll earlier said it would not pay a ransom to get its data back. It was not aware of any information being published so far, and was in touch with individual customers who were affected. It did not immediately respond to a question about whether any of the customers concerned were in NZ, where Toll operates 600 vehicles.

Managing Director Thomas Knudsen said that the Melbourne-based Toll was the victim of an "unscrupulous act". His company was now working with the Australian Federal Police and Australian Cyber Security Centre.

The MD framed the security breach as part of a wider problem, saying cyber attacks are "an existential threat for organisations of all sizes, making it more important than ever for business, regulators and government to adopt a united effort in combating the very real risk it presents the wider community".

More immediately, the second attack of the year is an embarrassment for Toll's IT partners, who include NZ-based Datacom according to a Toll spokeswoman and a 2020 case study on Datacom's website featuring Toll.
A spokesman for Datacom told the Herald: "We didn't do the security for Toll that's been breached, but we are working with them to review security measures they've got in place and to resolve the issue." Datacom was involved in the first ransomware attack "from consultation and review point of view."

Last week, Toll took some systems offline and warned customers about possible delays as it suffered its second ransomware attack of the year. The first disrupted its service between late January and early March.

After the first attack, Toll chairman John Mullen implied a compromised or corrupted employee could be to blame, telling the AFR: "It is an element of human behaviour that creates these entry points, or the chink in the armour, it is rarely the actual firewall that didn't work.

"People somehow get access to a master password, whether it's via guile or whether it's through criminal activity or bribing. They will use human weaknesses to get around the system."

Last week, the Herald asked Toll if any investigations into the first attack had identified any insider involvement and if so what action had been taken.


A spokesman replied: "We are not able to provide any info on this given the inherent sensitivities involved in making details public to perpetrators of such attacks."

The latest attack came with Toll staff on a four-day week as a Covid-19 cost-saving measure and a new chief information officer in place. The company said the departure of its previous tech boss was not related to the January ransomware attack.

The spokesman said the latest attack used ransomware software known as "Nefilim", which was different from that used in the New Year attack (although Nefilim has been known to the security industry since at least February).

Overnight, MD Knudsen said it would take some time before there was a full picture of the latest attack.

"Given the technical and detailed nature of the analysis in progress, Toll expects that it will take a number of weeks to determine more details."

A report by security company Eset, released last week, said ransomware attackers used to just lockup data and demand a ransom for its return.


But their new "go-to-tactic" was "doxing" or threatening to make information public on the internet if a ransom was not paid.

What to do if you're hit by ransomware

New Zealand businesses or individuals hit by a cyber-attack are advised to contact Crown agency CERT (the Computer Emergency Response Team) as their first step.

CERT acts as a triage unit, pointing people to the right law enforcement agency or technical contacts.

CERT director Rob Pope and police both advise against paying up on a ransomware demand, even if the sum involved is modest.

They say there is no guarantee that data will be returned, or unlocked. They also caution that while paying a small ransom can be convenient, the money can help fund Eastern European gangs who are also involved in the likes of drug and human trafficking.