Travelex Ransomware Attack

As the Travelex ransomware attack enters its third week of shutdown, conflicting statements, inconsistencies and general vagaries permeate both news reporting and the company’s public communications. Despite the company’s best efforts – things aren’t looking rosy for Travelex.

First detected on New Year’s Eve, the ransomware known as Sodinokibi/REvil, began spreading through the company’s networks. Responding by taking these systems offline, Travelex has since been debilitated by the attack.

The hackers responsible claim to have had access to systems for six months, during which time they also claim to have exfiltrated around 5GB of sensitive customer data. An assertion that Travelex are currently denying or are as yet unaware of: “There is still no evidence to date that any data has been exfiltrated.”

The vulnerability that allowed the attack stems from unpatched Pulse Secure VNP servers. Originally exposed around April of last year, security experts reportedly warned Travelex of the potential attack vector in mid-September, but to no response.

“We take very seriously our responsibility to protect the privacy and security of our partner and customer's data…we are working tirelessly to bring our systems back online”

Tony D'Souza, Travelex Chief Exec

With the supposed theft of national insurance numbers, credit card info and other sensitive data, Travelex are also yet to confirm reports of a ransom being demanded or the progress of the reported negotiations. Although, based on information gathered by the BBC, the hackers are demanding around £4.6 million for the safe release of data, under threat of the information being auctioned or deleted.

With over 1,2000 retail branches, the currency giant is also responsible for the exchanges of partners such as Barclays, Sainsbury’s Bank, Tesco and Virgin Money. All of whom, are now unable to process customer requests, leaving many winter holidaymakers in an unfortunate position.

Yet to confirm whether they are negotiating with the hackers, Travelex are also yet to give an indication of likely recovery time. With stores forced to rely on manual exchanges, the company is undoubtedly struggling to make sense of what has happened.

Originally displaying a ‘routine maintenance’ message on their downed website, ransomware victims are now publicly acknowledging the Metropolitan Police and National Crime Agency’s (NCA) involvement in the case.

As well as these serious issues, the Information Commissioner’s Office (ICO) has stated that it is yet to receive a data breach report regarding the attack. A procedure, that in the case of a data breach, should be completed within 72 hours of it becoming known.

Whether this is because the status of data is still unknown or is an attempt to protect reputation and minimise perceived liability, Travelex would be making a serious mistake in ignoring basic data protection processes; especially considering the fines that could be levied against them at a time of instability.

The lasting damage of the Travelex ransomware attack remains to be seen, but it is yet another example of how information security vulnerabilities can damage the operations of any business. Regardless of whether Travelex are forced to pay a ransom in exchange for a decryption key, executives at the company are going to be asking themselves some difficult questions about their past and future approach to information security.