Toll confirms ‘Nefilim’ ransomware nabbed contents from key Corporate server


In a statement released late yesterday (12 May) Toll has confirmed data theft following a targeted cyber attack. With comments from Toll Group Managing Director Thomas Knudsen, the company statement read: 

Early last week, following detection of suspicious activity on our IT systems, Toll confirmed it was the
victim of a cyber attack involving ransomware known as ‘Nefilim’.

After detecting this attack, we shut down our IT systems to mitigate the risk of further infection. Toll has
refused from the outset to engage with the attacker’s ransom demands, which is consistent with the
advice of cyber security experts and government authorities.

Our ongoing investigations have established that the attacker has accessed at least one specific corporate
server. This server contains information relating to some past and present Toll employees, and details of
commercial agreements with some of our current and former enterprise customers. The server in
question is not designed as a repository for customer operational data.

At this stage, we have determined that the attacker has downloaded some data stored on the corporate
server, and we are in the process of identifying the specific nature of that information. The attacker is
known to publish stolen data to the ‘dark web’. This means that, to our knowledge, information is not
readily accessible through conventional online platforms. Toll is not aware at this time of any information
from the server in question having been published.

We have notified and are working with the Australian Cyber Security Centre (ACSC) and the Australian
Federal Police (AFP). We are also actively managing our regulatory disclosure obligations.

Thomas Knudsen, Toll Group Managing Director, said that Toll was the victim of an “unscrupulous act”.
“We condemn in the strongest possible terms the actions of the perpetrators. This a serious and
regrettable situation and we apologise unreservedly to those affected. I can assure our customers and
employees that we’re doing all we can to get to the bottom of the situation and put in place the actions
to rectify it”, he said.

Given the technical and detailed nature of the analysis in progress, Toll expects that it will take a number
of weeks to determine more details. We have begun contacting people we believe may be impacted and
we are implementing measures to support individual online security arrangements.

Mr Knudsen said cyber crime posed “an existential threat for organisations of all sizes, making it more
important than ever for business, regulators and government to adopt a united effort in combatting the
very real risk it presents the wider community”.