Logistics giant Toll Group has revealed that hackers, who breached its systems last week, have stolen private data about client agreements and past employees, and fear they will be put up for sale on the dark web.
In a statement on Tuesday afternoon Toll Group managing director Thomas Knudsen described the attack as an "unscrupulous act," and said the Australian Federal Police were involved alongside the Australian Cyber Security Centre (ACSC) in investigating the crime.
The hackers breached Toll's systems last week, using ransomware known as Nefilim, but at the time said no data had been extracted as a result. It is the second major ransomware attack to bring the company to its knees this year.
Toll said it had now established that established that the attacker has accessed at least one specific corporate server containing information relating to some past and present Toll employees, as well as details of commercial agreements with some of its current and former enterprise customers.
It said the server in question was not used for customer operational data.
"At this stage, we have determined that the attacker has downloaded some data stored on the corporate server, and we are in the process of identifying the specific nature of that information. The attacker is known to publish stolen data to the ‘dark web,’" Toll's statement said.
The dark web is a part of the internet that is not accessible via typical search engines, and web browsing, it is only accessible via encrypted browsers like Tor and is often used by criminals to trade in illicit goods.
Toll said it was not aware of any of its data being published online yet, and would be notifying relevant customers and employees if their data was compromised.
"We condemn in the strongest possible terms the actions of the perpetrators. This a serious and regrettable situation and we apologise unreservedly to those affected. I can assure our customers and employees that we’re doing all we can to get to the bottom of the situation and put in place the actions to rectify it,” Mr Knudsen said.
"Cyber crime poses an existential threat for organisations of all sizes, making it more important than ever for business, regulators and government to adopt a united effort in combating the very real risk it presents the wider community.”
Toll said that, given the technical and detailed nature of the analysis in progress, it expected it would take a number of weeks to discern all the relevant details about the attack and the data compromised.
It reiterated its earlier stance that it would not deal with the hackers, or pay any ransoms for the return of data or system functions.
Cyber security expert James Turner from CISO Lens said the damage of losing the data could not be assessed until Toll was sure about what had been taken.
Employees will inevitably be worried about the potential for identity theft or financial crime from having any banking and personal data sold online, but longer term commercial implications of client data loss cannot yet be evaluated.
"To add to the complexity is the challenge that risk comes from the quality of the data but also from how criminals decide to exploit it," Mr Turner said.
"The value of information changes through time, but also depending on who has it and what the information represents for them.
"Here in Australia, these Toll employees are us; they’re our friends, family and industry colleagues. To criminals on the other side of the world, these are faceless people they will never meet."
In addition to selling data on the dark web, head of the cyber security practice at consulting firm Ankura Shannon Sedgwick said it was common for hackers to use stolen corporate login credentials for other cyber crimes.
In addition he said Toll could also be forced to compensate their staff for the loss of their personally identifiable information if it led to them having problems.
"Employee data could contain sensitive information such as bank details, tax file numbers, addresses, and payroll records," he said.
"This data could be used for further attacks against Toll through spear phishing or business email compromise.
"The theft of this data could potentially have long-lasting pernicious effects on Toll’s affected employees, from the time taken to ensure the security of their bank accounts and credit cards to the potential impact on their credit history from the use of their data for fraudulent activities."