Editor, IFSEC Global

January 20, 2020

Sign up to free email newsletters


Working with the insider threat

Cyber security news

Travelex: CEO releases statement on cyber attack

Foreign exchange company, Travelex believes it is making good progress in recovering from a recent cyber-attack, after the event forced the firm to revert back to pen and paper, rather than using its computer systems. The company’s CEO, Tony D’Souza, has since released a statement on a video hosted on the company’s temporary website. 

In the statement, Mr. D’Souza highlights that the business closed downs its various websites in order to contain the virus, whilst “at all times we remained focused on protecting our customers’ data”.

You can watch the statement made by the Travelex CEO, here. 

Cyber attack on Travelex

The attack was launched on New Year’s Eve, according to reports, and the company was forced to take down its websites across 30 countries, in an attempt to “contain the virus and protect data”. Many of these were still offline as of Monday 13th January, though the business says it has now contained the virus. Mr. D’Souza, has commented: “We continue to make good progress with our recovery and have already completed a considerable amount in the background. We are confident, based on our efforts to date, that we will be able to restore our services and ensure the integrity and robustness of the network.”

According to the BBC, the ransomware gang claimed to be behind the attack is called Sodinokibi, who have called for the firm to pay £4.6m, having downloaded vast numbers of sensitive customer data, which includes dates of birth, credit card information and national insurance numbers.

Current reports indicate no data has yet been released, whilst the Information Commissioner’s Office have declared that it has not received a data breach report from Travelex.

The Metropolitan Police is leading the investigation into the attack, stating: “On Thursday 2nd January, the Met’s Cyber Crime Team were contacted with regards to a reported ransomware attack involving a foreign currency exchange. Inquiries into the circumstances are ongoing.”

The police, IT specialists and external cyber security specialists are all currently supporting the company in an attempt to find a solution to the breach.

Following the release of the news, a number of high street banks had stopped customers ordering foreign currency, including Lloyds, Barclays and Royal Bank of Scotland.


IFSEC Global has received comment from cyber security specialists, with responses so far below.

James Smith, Principal Security Consultant and Head of Penetration Testing at Bridewell Consulting, comments: “Transparency is key in maintaining customer trust, especially for firms like Travelex in the financial services industry

“Travelex has taken a long time to inform customers about what’s taken place, and placing a press statement on the website days after the event simply isn’t enough. Financial services firms like Travelex have a responsibility to their customers to keep them informed even if no data has been lost.  This is especially important in light of the 2018 breach the company suffered in which the personal details of 17,000 customers were exposed.”

“It’s important to learn from past incidents and build those learnings into a cyber response / resilience plan. Having the right processes in place are critical in being prepared for an attack. This includes technical aspects like replicating data, off-site backups, network segregation, firmware updates and even regular penetration testing. It also covers response — not just in fixing the issue, but in informing the wider business, the media, and most importantly customers.”

In-depth: Travelex tragedy proves cyber resilience must become the new watchword

“The first thing to learn from this is that all organisations are at risk because everyone has something of value to lose. Whether that’s access to systems, intellectual property or customer data.

“The second thing to learn is that having a plan in place to mitigate risk is essential. Prevent, detect, respond. Those are three key elements to live by and should cover everything from the business impact of an attack, technical considerations on how to prevent them, as well as how you’d respond to stakeholders in the event of an attack, customers, staff, the ICO, etc.”

“Whether companies should pay the ransom always sparks debate — but the negatives always outweigh the positives. If you pay, in theory, you regain access to your data and systems and business can continue. However, there’s no guarantee you’ll actually get access restored. There’s also no guarantee that the data hasn’t been stolen already, before it was encrypted. This is happening more and more in the industry and the likelihood that the data will be sold or stored by the hacker is great. Then of course there are the wider ethical considerations about paying attackers who could use the money to fund other criminal enterprises.”

Becky Nicholson, Data Privacy Consultant at Bridewell, added: “Travelex has certain obligations as a controller under Data Protection legislation. One of which is to report personal data breaches to the supervisory authority. It is important, however, to ascertain to whom the data belongs and where it is being processed, so as to determine the jurisdiction.

“It may be that the breach is covered by the General Data Protection Regulation (GDPR); if so, Travelex will need to assess if the breach needs to be reported to the supervisory authority and do so within 72 hours but also to the National Cyber Security Centre (NCSC).

“Travelex must also evaluate the likelihood of the breach resulting in a high risk to the rights and freedoms of the customers and inform them without “undue delay”. When assessing a risk to the rights and freedoms, it is important to focus on the potential negative consequences for the individual. This must be based on how serious or substantial they are and how likely they are to happen. Helpfully, when reporting a personal data breach to the UK’s regulator, the Information Commissioner’s Office (ICO), they will offer advice about whether the individuals involved need to be informed.

“There have also been reports that Travelex was recently warned about vulnerabilities in its virtual private network (VPN) servers. This may also have implications for the company as the GDPR imposes other obligations to implement appropriate technical and operational measures to ensure a level of security appropriate to the risk. This will include such things as regular penetration tests to check for such vulnerabilities.”

Jérôme Robert, Director at Alsid, has said: “We know that the Sodinokibi ransomware is to blame, but beyond that it would be wrong to speculate too much on the anatomy of the attack. What we do know is that whenever there is a sophisticated, large-scale cyber event involving ransomware or large enterprises, we can be confident that Active Directory played a significant role. Hacking into the Active Directory can take less than 20 minutes, and most Active Directory infrastructures are basically open goals for a sophisticated attacker. Gaining access enables an attacker to navigate a large company like Travelex to extract information or corrupt a whole network via lateral movement across endpoints and accounts using the Active Directory.

“The bad news for Travelex is that while this attack rumbles on, its problems are probably only just beginning. Hopefully it will manage to contain the threat by working with the specialists it has called in, but even then there is the question around payment of the ransom… If that data is exposed by the hackers, Travelex can expect an ICO investigation and (sound the GDPR klaxon) a potential large fine. Danish company Demant recently suffered a ransomware attack and cited an estimated $95m in resulting costs, which shows the massive cost of these types of cyber-attacks. Set against these types of costs, protecting the Active Directory is an essential measure in the ongoing fight against increasingly sophisticated ransomware threats.”

Free Download: Cybersecurity and physical security systems: how to implement best practices

Discover the five-step process for strengthening your cyber and physical security systems with this free resource from Vanderbilt. Learn how to choose the right equipment to stay diligent and protect your systems against cyberattack, and learn what cyberattacks mean in an interconnected world.

Related Topics

Leave a Reply

Notify of