There has been something of a change in the nature of ransomware attacks in recent times. While such attacks were previously made on relatively small individually owned websites; they have come to leave major organizations reeling. So it was on New Year's eve 2019 that the website of the market-leading foreign exchange business was infiltrated with the Sodinokibi ransomware variation. Keep on reading as we provide you with an expert overview of the events and lessons that can be taken from Travelex's cyber-nightmare.
Reports began to circulate about the Travelex ransomware attack soon after the turn of the new decade. The decision had apparently been made to inform the Travelex customers that the website was down for maintenance. However, the real reason was highlighted in a subsequent press release, sharing details of the attack. Further articles revealed that the cyber-criminals had managed to infiltrate the Travelex website with the Sodinokibi (REvil) variant. It wasn't until January 17th that the first of the customer-facing systems were restored.
Travelex initially claimed that no customer data had been lost as a result of the attack. However, Computer Weekly told of the breach of digital systems featuring client names, bank account numbers, and transaction details. Further concerns were raised in a BleepingComputer report claiming that the criminals responsible for the Sodinokibi attack had encrypted the complete Travelex network.
Travelex were reportedly given seven days to pay a ransom of $3 million in order to avoid the dumping of stolen data. It seems that there was some negotiation, leading to a transfer of $2.3 million in bitcoin. Parent company Finablr then failed in the attempt to sell Travelex. PwC (PricewaterhouseCoopers) assumed responsibility for restructuring the travel exchange; with the resulting loss of over 1,300 jobs.
Travelex's reputation took a serious blow when it was revealed that warnings had been made about digital security vulnerabilities earlier in 2019. No action was taken, despite the established need for improved VPN security. Failure to install the patching has been claimed as a key factor in the success of the ransomware attack.
The combined effects of ransomware and COVID have made 2020 one of the toughest years for Travelex. Parent company Finablr said that the global exchange business had taken a £25 million loss in earnings as a direct result of the attack. However, much of the financial impact was covered by a cyber insurance policy.
PwC released a follow-up statement revealing that "The impact of a cyber-attack in December 2019 and the ongoing COVID-19 pandemic this year has acutely impacted the business." However, the leading professional services firm have subsequently claimed that they are optimistic about Travelex's future prospects; with the business restructuring saving 1802 jobs in the UK and a further 36,356 internationally.
The Travelex case should serve as a warning for any other businesses to have overlooked the importance of digital safeguarding and the patching of software updates in particular. The Sodinokibi attack may well have proven unsuccessful had Travelex acted on the earlier cybersecurity recommendations. Similar decisions to delay cybersecurity investment could result in the forced payment of significant ransoms, or business dissolution. Failure to pay may also prompt the cybercriminals to publish samples of unprotected data in the aim of inflicting major reputational damage.
Those companies who fail to act on the Travelex example will be at continued risk of losing personally identifiable information, credit card numbers, and other sensitive data. Such loss is bound to have a continued brand impact; with the potential of legal action against those who fail to act with due care and diligence. The victims of ransomware are being held over a barrel, given the potential for the mass sharing of customer data.
Questions have also been raised about the transparency of communication with business customers. The decision to withhold details of the breach prevented the immediate implementation of safeguarding actions including the setting of holds on credit cards, arrangement of credit monitoring, and changing of passwords. Travelex could reasonably be accused of placing their customer's security at increased risk in a bid to save face. The ICO may see fit to take significant legal action as a result of Travelex's failure to abide by the requirements of the General Data Protection Regulation (GDPR).
These actions should be taken in light of the Travelex incident:
- Arranging company-wide training to ensure that all staff members take necessary actions for the preservation of digital security
- Establishing a formal digital policy with procedures for handling concerns over data security
- Implementing a comprehensive information security system; ensuring the routine application of processes to ensure that security vulnerabilities don't go unnoticed.
The Travelex ransomware attack highlights the need for tested incident response plans that go beyond the basics of IT security. There is a clear need for general business education on common security threats and social engineering attempts. You can identify the complete range of vulnerabilities and establish the need for action with OnSecurity penetration testing.