Toll IT systems update

29 May 2020, 10AM AEDT

We are making good progress with the restoration of our key online systems. MyToll customers can now access most features. Track and Trace is now available for a number of services including for our Priority customers, with historical data being progressively uploaded. For future information on the status of MyToll services, please visit

In our Global Forwarding business, systems tests have been completed and we have restored CargoWise One access across Toll’s global network. We have started the process of re-establishing electronic data interchange connections with customers, on a phased basis.

Most customer-facing applications for our contract logistics customers are up and running, as we finalise testing with our customers.

We thank everyone for their support and patience during this period as we finalise the full resumption of services across Toll’s global network.

28 May 2020, 4PM AEDT

Following confirmation recently that the ransomware attackers had accessed Toll corporate server files which contain information relating to past and present employees, we have established that the information includes details such as name, residential address, age or birthdate, and payroll information (including salary, superannuation and tax file number).

The information relates to some current and former employees in certain countries in which Toll operates, including Australia and New Zealand. The incident does not affect all Toll employees and, based on current findings, casual staff are not impacted.

There is no evidence at this stage that the information in question has been taken.

As a precaution, we have written to impacted employees (past and current) to provide them with information on how they can protect themselves. As part of this, we have engaged the services of a leading provider of identity and cybersecurity solutions to ensure that impacted people are provided with the appropriate support and data protection measures.

Toll condemns in the strongest possible terms the actions of the cyber criminals, and we apologise to our people for the concern and inconvenience this situation may be causing them.

20 May 2020, 5PM AEDT

Following our announcement last week that a ransomware attacker had stolen data contained on at least one Toll corporate server, our ongoing investigation has established that the attacker has now published to the dark web some of the information that was stolen from that server. As a result, we are now focused on assessing and verifying the specific nature of the stolen data that has been published. As this assessment progresses, we will notify any impacted parties as a matter of priority and offer appropriate support.

12 May 2020, 4.15PM AEDT
Toll confirms data theft following targeted cyber attack

Early last week, following detection of suspicious activity on our IT systems, Toll confirmed it was the victim of a cyber attack involving ransomware known as ‘Nefilim’.

After detecting this attack, we shut down our IT systems to mitigate the risk of further infection. Toll has refused from the outset to engage with the attacker’s ransom demands, which is consistent with the advice of cyber security experts and government authorities.

Our ongoing investigations have established that the attacker has accessed at least one specific corporate server. This server contains information relating to some past and present Toll employees, and details of commercial agreements with some of our current and former enterprise customers. The server in question is not designed as a repository for customer operational data.

At this stage, we have determined that the attacker has downloaded some data stored on the corporate server, and we are in the process of identifying the specific nature of that information. The attacker is known to publish stolen data to the ‘dark web’. This means that, to our knowledge, information is not readily accessible through conventional online platforms. Toll is not aware at this time of any information from the server in question having been published.

We have notified and are working with the Australian Cyber Security Centre (ACSC) and the Australian Federal Police (AFP). We are also actively managing our regulatory disclosure obligations.

Thomas Knudsen, Toll Group Managing Director, said that Toll was the victim of an “unscrupulous act”.

“We condemn in the strongest possible terms the actions of the perpetrators. This a serious and regrettable situation and we apologise unreservedly to those affected. I can assure our customers and employees that we’re doing all we can to get to the bottom of the situation and put in place the actions to rectify it”, he said.

Given the technical and detailed nature of the analysis in progress, Toll expects that it will take a number of weeks to determine more details. We have begun contacting people we believe may be impacted and we are implementing measures to support individual online security arrangements.

Mr Knudsen said cyber crime posed “an existential threat for organisations of all sizes, making it more important than ever for business, regulators and government to adopt a united effort in combatting the very real risk it presents the wider community”.

11 May 2020, 4PM AEDT

Following the secure reactivation last week of one of our core IT systems which underpins many of the company’s online operations, we have commenced the process of restoring and testing our customer-facing applications with a focus on bringing them progressively online as soon as possible. At the same time, we’re continuing to support our large enterprise customers whose services are affected by the disruption to online operations. We’re continuing to keep our SME customers and consumers updated through our digital and social channels including Toll’s company and MyToll websites. While there are delays in some parts of the network, freight shipments and parcel deliveries are moving by and large as normal, with Toll call centres taking bookings over the phone. Contact details for bookings are available the MyToll website. We continue to prioritise the movement of essential items including medical and healthcare supplies. Email access has been restored for Toll employees who operate on our cloud-based platforms.

7 May 2020, 3.30PM AEDT

Toll has completed an important step in the restoration of IT systems with the full and secure reactivation of one of our core IT systems which underpins most of the company’s online operations.

With that in place, our focus is on bringing our customer-facing applications online as a matter of priority. At this stage, we expect these applications will be progressively restored and tested throughout next week. As such, we are planning for business continuity and manual processes to continue into next week to keep services moving as we work towards the full and secure reactivation of our online systems.

This week we will work through the scanning and testing of servers which we will gradually and securely bring back online.

In addition we have re-established external email into the company, and email access for Toll employees who operate on our cloud-based platforms is being progressively restored. Work is continuing on restoring remaining email servers.

In the meantime, MyToll customers are able to book parcel pick-ups by calling our contact centres, with contact details available via the MyToll website

6 May 2020, 3PM AEDT

As we continue to investigate the details of the ransomware attack that led us to disable various IT systems, we’re making good progress in rebuilding the core systems which underpin most of Toll’s online operations. This includes cleaning affected servers and systems, and restoring files from backups.

In the meantime, our business continuity and manual processes are keeping services moving across many parts of the network although, regrettably, some customers are experiencing delays or disruption. At this stage, freight shipments are largely unaffected and parcel deliveries are running essentially to schedule based on normal pick-up and delivery processes. Parcel tracking and tracing through the MyToll portal remains offline. We are prioritising the movement of essential items, including medical and healthcare supplies into the national stockpile for COVID-19 requirements. This includes running charter flights from China.

We’re working closely with our large enterprise customers whose services are affected and, for our SME customers and consumers, we’re providing updates on work-around processes through our digital and social channels including Toll’s company and MyToll websites. We expect to maintain current business continuity and manual processing arrangements through the week, and we are in regular contact with the Australian Cyber Security Centre (ACSC) regarding the investigation and recovery process.

Toll apologises to customers affected by delays or disruption to services.

5 May 2020, 1PM AEDT 

Toll took the precautionary step yesterday of shutting down certain IT systems after we detected unusual activity on some of our servers.

As a result of investigations undertaken so far, we can confirm that this activity is the result of a ransomware attack. Working with IT security experts, we have identified the variant to be a relatively new form of ransomware known as Nefilim. This is unrelated to the ransomware incident we experienced earlier this year. Toll has no intention of engaging with any ransom demands, and there is no evidence at this stage to suggest that any data has been extracted from our network. We are in regular contact with the Australian Cyber Security Centre (ACSC) on the progress of the incident.

Toll’s priority is the safety and security of our customers, employees and vendor partners and, to that end, we have business continuity plans and manual processes in place to keep services moving while we work to resolve the issue.  We expect these arrangements to continue for the remainder of the week.

We have been in contact from the outset with various customers impacted by the issue and we continue to work with them to minimise any disruption.