Travelex Ransomware Attack

As the Travelex ransomware attack enters its third week of shutdown, conflicting statements, inconsistencies and general vagaries permeate both news reporting and the company’s public communications. Despite the company’s best efforts – things aren’t looking rosy for Travelex.

First detected on New Year’s Eve, the ransomware known as Sodinokibi/REvil, began spreading through the company’s networks. Responding by taking these systems offline, Travelex has since been debilitated by the attack.

The hackers responsible claim to have had access to systems for six months, during which time they also claim to have exfiltrated around 5GB of sensitive customer data. An assertion that Travelex are currently denying or are as yet unaware of: “There is still no evidence to date that any data has been exfiltrated.”

The vulnerability that allowed the attack stems from unpatched Pulse Secure VNP servers. Originally exposed around April of last year, security experts reportedly warned Travelex of the potential attack vector in mid-September, but to no response.

“We take very seriously our responsibility to protect the privacy and security of our partner and customer's data…we are working tirelessly to bring our systems back online”

Tony D'Souza, Travelex Chief Exec

With the supposed theft of national insurance numbers, credit card info and other sensitive data, Travelex are also yet to confirm reports of a ransom being demanded or the progress of the reported negotiations. Although, based on information gathered by the BBC, the hackers are demanding around £4.6 million for the safe release of data, under threat of the information being auctioned or deleted.

With over 1,2000 retail branches, the currency giant is also responsible for the exchanges of partners such as Barclays, Sainsbury’s Bank, Tesco and Virgin Money. All of whom, are now unable to process customer requests, leaving many winter holidaymakers in an unfortunate position.

Yet to confirm whether they are negotiating with the hackers, Travelex are also yet to give an indication of likely recovery time. With stores forced to rely on manual exchanges, the company is undoubtedly struggling to make sense of what has happened.

Originally displaying a ‘routine maintenance’ message on their downed website, ransomware victims are now publicly acknowledging the Metropolitan Police and National Crime Agency’s (NCA) involvement in the case.

As well as these serious issues, the Information Commissioner’s Office (ICO) has stated that it is yet to receive a data breach report regarding the attack. A procedure, that in the case of a data breach, should be completed within 72 hours of it becoming known.

Whether this is because the status of data is still unknown or is an attempt to protect reputation and minimise perceived liability, Travelex would be making a serious mistake in ignoring basic data protection processes; especially considering the fines that could be levied against them at a time of instability.

The lasting damage of the Travelex ransomware attack remains to be seen, but it is yet another example of how information security vulnerabilities can damage the operations of any business. Regardless of whether Travelex are forced to pay a ransom in exchange for a decryption key, executives at the company are going to be asking themselves some difficult questions about their past and future approach to information security.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


Malware and Stalkerware Pandemic

Malware, Stalkerware – Beware: The Growing Market for Privacy Invading Apps

Malware is a persistent threat that can affect every aspect of our digital lives. Identifying, avoiding and removing it are essential to your information security.

Phishing Simulation for Employees

Sending Simulated Phishing Attacks to Employees

How can simulated phishing attacks improve your organisation's security awareness? Blog from information security awareness training provider Hut Six.

The CIA Triangle in Information Security

Information Security Principles: What is the CIA Triad?

The CIA triad consists of three principles upon which professionals typically focus. Blog by Information Security awareness training provider Hut Six.

Trusting HTTPS and SSL Certificates

Suspicious Certificates, Transparency and HTTPS

Will Certificate Transparency Help to Rebuild Confidence in Certificate Authorities? Blog by information security training provider Hut Six Security

UK Government and ICO Cryptojacked

Information Commissioner’s Office Mining Crypto

In 2018 it was discovered thousands of websites had been hijacked by crypto-mining code, known as a "Cryptojacking" attack. Including UK Gov and ICO websites.

What to do if you've fallen victim to spear phishing

Spear Phishing Series Part 3: What to do if You’ve Been Phished

Spear Phishing Part 3: With 50% of receivers clicking on an attachment or link, users are 10 times more likely to make this mistake than with generic phishing emails.

Confirmation of Payee - APP Scams

Will Confirmation of Payee Reduce APP Scams?

Can the introduction of the confirmation of payee requirement reduce APP scams? Blog by cybersecurity awareness training provider Hut Six.

Spear Phishing Indicators

Spear Phishing Series Part 2: How to Spot a Spear-Phishing Email

Spear phishing is one of the most effective ways of gaining sensitive information. These highly targeted attacks use your personal information against you.

The Surveillance Economy and Human Rights

Human Rights and the Growing Surveillance Economy

Human Rights and the Growing Surveillance Economy: Surveillance capitalism can mean your information being sold to the highest bidder. Blog by Hut Six

HP Firmware Self Destructs

Attention: HP's Self-Destructing Firmware

HP firmware issue: The technology manufacturer Hewlett Packard has announced a firmware issue that could affect thousands of enterprise users. SSDs sold by the company are at risk.

Speak to us about your Cyber Awareness