Travelex ‘held to ransom’ by New Year’s Eve hackers

17 February 2020

Foreign exchange operator Travelex became the latest global business targeted by a ransomware gang known as Sodinokibi, as many holidaymakers were heading abroad over the festive period. 

Hackers demanded payment of £4.6m and threatened to release up to 5GB of customers’ personal data.

The company, which has over 1,200 branches and 1,000 ATMs spanning more than 70 countries, said it is “making good progress” recovering from the attack on New Year’s Eve. 

There was also a knock-on effect as a number of high street banks all rely on Travelex for foreign exchange services.

Those that confirmed they were unable to offer online exchange services or process orders for foreign currency, included Barclays, HSBC and Clydesdale and online financial services firms First Direct, Virgin Money and Tesco Bank. 

Travelex and the other financial institutions are understood to have been disrupted for more than three weeks.

Staff at the former resorted to pen and paper after the website was taken offline. 

The company said a phased global restoration of systems was now under way and some of its customer-facing systems were up and running again. 

Khushil Dep, founder of cyber security, cloud and agile domains specialist Daemon Dreams told Networking+ that the second major cyber security incident in two years to befall Travelex “is interesting” for different reasons. “From the statements made by the company we may infer that primary and secondary systems were not as segregated as they might have been,” he said. “The traditional business continuity approach applied by most is built on the belief that a software or hardware failure shall be what calls secondary systems into use.” 

Dep added that while good practice demands logical, network and physical segregation, most will rely on well-formed RBAC policies to segregate access between systems. “Often, however, the need to segregate or even utilise privileged access terminals is forgotten or misunderstood,” Dep continued. “A carefully tailored attack can leverage this ignored shared technology base to skip between systems. The latest statement on the Travelex corporate site suggests there was no confidence that this had not happened. Further, it seems that there was a lack of confidence that the infection could not be guaranteed to have been contained to a few systems but may have been a deeper compromise.”

The gang, also known as REvil, claimed to have accessed Travelex’s computer network six months ago and to have downloaded 5GB of sensitive customer data. 

Dates of birth, credit card information and national insurance numbers are all in its possession, the group said. 

Travelex chief executive Tony D’Souza it was “not appropriate” to discuss details of the attack, adding that an investigation was ongoing. “To date, there is no evidence that any data has left the organisation,” he said. The firm is working with the UK’s National Crime Agency and the Metropolitan Police. 

The UK’s Information Commissioner’s Office (ICO) said if an organisation decided that a breach need not be reported, it should keep its own record of it and be able to explain why it had not done so, if required. 

 “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people’s rights and freedoms,” it said. “All organisations processing personal data should do so safely and securely.” 

The Travelex hackers later shut down German car parts company Gedia with yet another big cyberattack.