A SERVER with information about commercial agreements as well as past and present Toll Group employees has been access by cyber criminals, Toll Group has confirmed.

The company recently announced it had experienced its second cyberattack this year, this time involving ransomware known as Nefilim.

In a statement released late on Tuesday afternoon, Toll said the attacker had accessed at least one corporate server.

After the attack, Toll shut down IT systems to mitigate the risk of further infection and “refused from the outset” to engage with the attacker’s ransom demands.

“Our ongoing investigations have established that the attacker has accessed at least one specific corporate server,” the company stated.


“This server contains information relating to some past and present Toll employees, and details of commercial agreements with some of our current and former enterprise customers.

“The server in question is not designed as a repository for customer operational data.”

According to Toll, the attacker has downloaded some data stored on the corporate server.

“We are in the process of identifying the specific nature of that information. The attacker is known to publish stolen data to the ‘dark web’,” the company stated.

“This means that, to our knowledge, information is not readily accessible through conventional online platforms. Toll is not aware at this time of any information from the server in question having been published.”

The company is working with the Australian Cyber Security Centre and the Australian Federal Police.

Toll Group managing director Thomas Knudsen said the company was the victim of an “unscrupulous act”.

“We condemn in the strongest possible terms the actions of the perpetrators,” Mr Knudsen said.

“This a serious and regrettable situation and we apologise unreservedly to those affected. I can assure our customers and employees that we’re doing all we can to get to the bottom of the situation and put in place the actions to rectify it.”

Mr Knudsen said it would take several weeks to determine more details given the technical and detailed nature of the analysis in progress.

“We have begun contacting people we believe may be impacted and we are implementing measures to support individual online security arrangements,” he said.

Mr Knudsen said cybercrime posed “an existential threat for organisations of all sizes, making it more important than ever for business, regulators and government to adopt a united effort in combatting the very real risk it presents the wider community”.