Editor, IFSEC Global

Author Bio ▼

James Moore is the Editor of IFSEC Global, the leading resource for security and fire news in the industry. James was previously Editor of Professional Heating & Plumbing Installer magazine.
August 7, 2020

Sign up to free email newsletters

Download

Whitepaper: Normal service resumed? How video technology supports our new reality

Travelex: Company cites cyber attack as key factor in administration announcement

Travelex has cited a significant cyber attack in late December 2019 as a key reason for the foreign exchange company going into administration, alongside the effects of the coronavirus

In a statement from PwC, it said: “The impact of a cyber attack in December 2019 and the ongoing Covid-19 pandemic this year has acutely impacted the business.”

Many commentators have highlighted that this result should serve as a significant warning to businesses to improve their cyber security. Travelex trades in over 80 currencies and 50 countries, as well as providing outsourcing services to major banks, supermarkets and travel agencies. A complex restructuring deal completed today has delivered £84m of new money and substantially deleveraged the new group.

Jérôme Robert – Director at Alsid, the Active Directory cyber security specialist, added: “While the coronavirus dealt Travelex the fatal blow, administrators PwC specifically called out the impact of January’s cyberattack – something which should act as a wake-up call for businesses everywhere. With ransomware attacks becoming a defining feature of 2020 – Canon was allegedly hit by Maze on Wednesday – businesses need to open their eyes to the far-reaching impact such attacks can have.

“It remains to be seen whether the newly created company following this restructuring will still be the subject of an ICO investigation and/or a potentially large fine. It’s impossible to know the total cost of January’s Sodinokibi attack on Travelex, but another victim from 2019, Demant, cited an estimated $95m in losses after falling victim to a similar attack. These are hugely significant sums for any business.”

You can find out more about the administration announcement, here. 

Cyber attack on Travelex

The attack was launched on New Year’s Eve, according to reports, and the company was forced to take down its websites across 30 countries, in an attempt to “contain the virus and protect data”. Many of these were still offline as of Monday 13th January, though the business believed by that point it had contained the virus. Mr. D’Souza, the company’s CEO, commented: “We continue to make good progress with our recovery and have already completed a considerable amount in the background. We are confident, based on our efforts to date, that we will be able to restore our services and ensure the integrity and robustness of the network.”

According to the BBC, the ransomware gang claimed to be behind the attack was called Sodinokibi, who called for the firm to pay £4.6m, having downloaded vast numbers of sensitive customer data, which included dates of birth, credit card information and national insurance numbers.

Reports indicated no data has yet been released, whilst the Information Commissioner’s Office declared that it had not received a data breach report from Travelex.

The Metropolitan Police led the investigation into the attack, stating: “On Thursday 2nd January, the Met’s Cyber Crime Team were contacted with regards to a reported ransomware attack involving a foreign currency exchange. Inquiries into the circumstances are ongoing.”

The police, IT specialists and external cyber security specialists all supported the company in an attempt to find a solution to the breach.

Following the release of the news, a number of high street banks stopped customers ordering foreign currency, including Lloyds, Barclays and Royal Bank of Scotland.

Travelex-cybersecurity-20

The company’s CEO, Tony D’Souza, released a statement on a video hosted on the company’s temporary website.

In the statement, Mr. D’Souza highlighted that the business closed downs its various websites in order to contain the virus, whilst “at all times we remained focused on protecting our customers’ data”.

You can watch the statement made by the Travelex CEO, here. 

In late January, the Wall Street Journal reported that Travelex eventually paid the cyber criminals $2.3 million in bitcoin to relieve them of the issue.

IFSEC Global initially received comment from cyber security specialists on the attack, with responses below.

James Smith, Principal Security Consultant and Head of Penetration Testing at Bridewell Consulting, comments: “Transparency is key in maintaining customer trust, especially for firms like Travelex in the financial services industry

“Travelex has taken a long time to inform customers about what’s taken place, and placing a press statement on the website days after the event simply isn’t enough. Financial services firms like Travelex have a responsibility to their customers to keep them informed even if no data has been lost.  This is especially important in light of the 2018 breach the company suffered in which the personal details of 17,000 customers were exposed.”

“It’s important to learn from past incidents and build those learnings into a cyber response / resilience plan. Having the right processes in place are critical in being prepared for an attack. This includes technical aspects like replicating data, off-site backups, network segregation, firmware updates and even regular penetration testing. It also covers response — not just in fixing the issue, but in informing the wider business, the media, and most importantly customers.”


In-depth: Travelex tragedy proves cyber resilience must become the new watchword


“The first thing to learn from this is that all organisations are at risk because everyone has something of value to lose. Whether that’s access to systems, intellectual property or customer data.

“The second thing to learn is that having a plan in place to mitigate risk is essential. Prevent, detect, respond. Those are three key elements to live by and should cover everything from the business impact of an attack, technical considerations on how to prevent them, as well as how you’d respond to stakeholders in the event of an attack, customers, staff, the ICO, etc.”

“Whether companies should pay the ransom always sparks debate — but the negatives always outweigh the positives. If you pay, in theory, you regain access to your data and systems and business can continue. However, there’s no guarantee you’ll actually get access restored. There’s also no guarantee that the data hasn’t been stolen already, before it was encrypted. This is happening more and more in the industry and the likelihood that the data will be sold or stored by the hacker is great. Then of course there are the wider ethical considerations about paying attackers who could use the money to fund other criminal enterprises.”

Becky Nicholson, Data Privacy Consultant at Bridewell, added: “Travelex has certain obligations as a controller under Data Protection legislation. One of which is to report personal data breaches to the supervisory authority. It is important, however, to ascertain to whom the data belongs and where it is being processed, so as to determine the jurisdiction.

“It may be that the breach is covered by the General Data Protection Regulation (GDPR); if so, Travelex will need to assess if the breach needs to be reported to the supervisory authority and do so within 72 hours but also to the National Cyber Security Centre (NCSC).

“Travelex must also evaluate the likelihood of the breach resulting in a high risk to the rights and freedoms of the customers and inform them without “undue delay”. When assessing a risk to the rights and freedoms, it is important to focus on the potential negative consequences for the individual. This must be based on how serious or substantial they are and how likely they are to happen. Helpfully, when reporting a personal data breach to the UK’s regulator, the Information Commissioner’s Office (ICO), they will offer advice about whether the individuals involved need to be informed.

“There have also been reports that Travelex was recently warned about vulnerabilities in its virtual private network (VPN) servers. This may also have implications for the company as the GDPR imposes other obligations to implement appropriate technical and operational measures to ensure a level of security appropriate to the risk. This will include such things as regular penetration tests to check for such vulnerabilities.”

Jérôme Robert, Director at Alsid, has said: “We know that the Sodinokibi ransomware is to blame, but beyond that it would be wrong to speculate too much on the anatomy of the attack. What we do know is that whenever there is a sophisticated, large-scale cyber event involving ransomware or large enterprises, we can be confident that Active Directory played a significant role. Hacking into the Active Directory can take less than 20 minutes, and most Active Directory infrastructures are basically open goals for a sophisticated attacker. Gaining access enables an attacker to navigate a large company like Travelex to extract information or corrupt a whole network via lateral movement across endpoints and accounts using the Active Directory.

“The bad news for Travelex is that while this attack rumbles on, its problems are probably only just beginning. Hopefully it will manage to contain the threat by working with the specialists it has called in, but even then there is the question around payment of the ransom… If that data is exposed by the hackers, Travelex can expect an ICO investigation and (sound the GDPR klaxon) a potential large fine. Danish company Demant recently suffered a ransomware attack and cited an estimated $95m in resulting costs, which shows the massive cost of these types of cyber-attacks. Set against these types of costs, protecting the Active Directory is an essential measure in the ongoing fight against increasingly sophisticated ransomware threats.”

Download the Intruder Alarm Report 2020

Download this report, produced in conjunction with Texecom, to discover how increasing processing power, accelerating broadband speeds, cloud-managed solutions and the internet of things and transforming the intruder alarm market, and whether firms are adopting these innovative new technologies.

AlarmReport-Main-19

Related Topics

Subscribe
Notify of
guest
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
trackback

[…] we saw recently in the Travelex ransomware case, the removal of services affected several banks that used the platform for their […]