Montreal-based TFI International, a major North American transportation and logistics firm, has announced that its four Canadian courier divisions (Canpar Express, ICS Courier, Loomis Express and TForce Integrated Solutions) were victims of a ransomware attack on Aug. 19. And now, hackers say they have personal customer information that they’ll publish on the dark web if the ransom isn’t paid.

Ransomware, a type of malware that threatens affected organizations with release of sensitive company information in exchange for a ransom, costs billions of dollars each year in resources spent, preventative measures and resolution efforts. In Canada alone, it costs businesses a collective C$2.3 billion annually, according to Emsisoft, a cyber security consultancy.

Canpar Express, a parcel delivery company with an estimated 20,000 customers across Canada, released a statement on its Facebook page: “We continue to meet most customer shipping needs and we are not aware of any misuse of client information … Canpar Express takes our obligation to protect customer information seriously. Upon learning of the incident, we immediately began an investigation and engaged cybersecurity experts to assist in the process. We have taken steps to contain and remediate the issue and are taking all necessary steps to help prevent any occurrences in the future.”

On Aug. 24, Canpar Express released a follow-up statement, assuring consumers that critical systems had been restored and the websites of the impacted divisions were all gradually being returned to full working order. “We have identified the source of this incident and want to assure you we have the situation firmly under control, that we are operational, and that we have taken measures to prevent any future occurrences,” the statement read. “At this time, we have no evidence that the attackers have obtained any customer data.”

But the next day, hacker group DopplePaymer said it has names and financial information from Canpar Express customers and will gradually release the information on the dark web, a sub-section of the internet only accessible with a special browser that’s often used by hackers and other bad actors in illegal markets.

Freightwaves, a supply chain, trucking and logistics news site, says its own investigation into the dark web revealed a leak of three TFI documents that appear to have come from DopplePaymer, which has also taken credit for attacks against the City of Knoxville, TN, and a NASA IT contractor. The documents look to contain only a small amount of information on Canpar Express’s internal operations, according to Freightwaves.

As of this writing, neither TFI International nor Canpar Express had released further statements addressing this newest development.

The promo industry has been hit hard by ransomware attacks in recent years. In one of the most high-profile cases, alphabroder (asi/34063), the industry’s second-largest supplier based outside Philadelphia, said its order processing and shipping platform was attacked by SODINOKIBI malware that was sophisticated enough to bypass the company’s security systems. No customer or worker data was compromised in this case, according to alphabroder, though the company did end up paying about half of the initial $3.2 million ransom.