Files from TFI’s Canpar leak after ransomware attack

Internal documents appear on dark web

A delivery vehicle of TFI's Canpar Express. Canpar files were released in a leak after a ransomware attack.

A hacking group released files that appear to have been stolen from TFI subsidiary Canpar Express as part of a ransomware attack. (Photo: Canpar Express)

Files purportedly stolen from TFI International’s Canpar Express leaked onto the dark web on Monday after a ransomware attack targeted the Canadian trucking and logistics company’s parcel and courier subsidiaries last week. 

The leak, consisting of three documents, appears to have come from DoppelPaymer. The hacking group has taken credit for ransomware attacks on high-profile targets including the city of Knoxville and a NASA IT contractor.

It also includes a message: “As an essential service provider, we are committed to continuing to provide service across Canada with limited disruption and also ready to share some data. Each day a few more files.”

A TFI spokesperson declined to comment on the leak. The company’s four parcel and courier subsidiaries, all Canadian, reported being targeted in ransomware attacks on Thursday.


The leak appears to contain a small amount of information related to Canpar’s internal operations. Freightwaves viewed the documents but is not publishing their contents or linking to them.

Leak serves as a warning to TFI, expert says

The leak serves as proof and warning to Montreal-based TFI: Pay the ransom or see more information leaked online, said Brett Callow, threat analyst with Emsisoft, who detected the leak on Monday.

“They have two options: Either refuse to pay and sit by while data gets posted bit by bit, or pay, and get a pinky promise it will be destroyed,” Callow told FreightWaves.

The data release suggests that TFI likely decided not to pay, Callow said.


Montreal-based TFI also declined to comment further on the ransomware attacks themselves. The company’s spokesperson referred FreightWaves to notices published on the websites of its four parcel and courier companies: Canpar Express, ICS Courier, Loomis Express and TForce Integrated Solutions.

“We continue to meet most customer shipping needs and we are not aware of any misuse of client information,” the notices state. “Out of an abundance of caution we want to make our clients aware of the incident, should you be experiencing any issues.”

As of Monday, the notices had been removed. All of the websites, except for TForce Integrated Solutions, appeared to be operating normally.

Complaints of delays of Canpar shipments

Users on Twitter and Reddit have complained of extended delays for Canpar shipments and the inability to track them. 

While TFI reported that the ransomware attack occurred on Aug. 19, Callow said hackers likely infiltrated the affected systems long before. 

“They are brutally efficient professional extortionists,” Callow told FreightWaves, referring to DopplePaymer.

Ransomware attacks typically involve hackers locking down systems and demanding money to restore access. 

Canpar is among TFI’s most visible brands in Canada as a leading provider of parcel deliveries and courier services for businesses and consumers. Still, it represents a comparatively small part of TFI’s overall business, accounting for less than 15% of the company’s revenue. 


The ransomware attack came two days after TFI closed a $219 million (CA$290 million) share offering. The company is Canada’s largest trucking and logistics company, with a market cap of over $4.25 billion (CA$5.6 billion.)

TFI subsidiaries operate across Canada and the United States.

Click for more FreightWaves articles by Nate Tabak

Ransomware attack hits TFI’s Canadian courier divisions

TFI raises $219 million in share offering

Cyberattack impacting multiple EVRAZ plants in US, Canada

Exit mobile version