The foreign exchange company Travelex has confirmed the ongoing disruption to its services, which started on New Year’s Eve, are being caused by a successful ransomware attack.
The outage, which has lasted more than a week, has caused chaos for customers and partners alike who rely on these systems to conduct transactions.
Travelex had previously pinned disruption on a “software virus”, in a statement released three days after the attack. The firm confirmed in an updated statement, however, the incident was indeed caused by a ransomware attack.
Additional reports suggest the perpetrators are demanding millions of dollars in exchange for the return of customer data.
Travelex first detected that a virus had compromised its services on 31 December and took all of its systems offline as a precaution to prevent the malware from spreading across its network any further.
Following days of speculation and media reports, the firm has finally confirmed the “software virus” that hit their systems was the ransomware known as REvil, with the name Sodinokibi also sometimes used.
The attack was a success, and the group behind the attack has demanded a ransom to the tune of $6 million (approximately £4.6 million), according to BBC News.
The attackers also claim they have taken approximately 5GB of customer data, and will only return this should the ransom be paid in full. This data is claimed to comprise dates of birth, national insurance numbers as well as credit card information.
The company says it’s taken steps to contain the spread of the ransomware, suggesting that although there has been some encryption, there remains no evidence that any customer data has been compromised.
Travelex also added in a statement that while it does not have a complete picture of all the data that has been encrypted, but “there is still no evidence to date any data has been exfiltrated”.
These conflicting reports could suggest the attackers may be bluffing in claiming to have downloaded a cache of customer data. Many less well-resourced firms unable to conduct thorough assessments in the wake of such attacks, however, may deem these ‘bluffs’ as too risky to ignore, and pay any ransom demanded to secure safe return regardless.
“Our focus is on communicating directly with our partners and customers to protect them and their information from any further compromise,” said Travelex chief executive Tony D’Souza.
“We take very seriously our responsibility to protect the privacy and security of our partner and customers’ data as well as provide an excellent service to our customers and we sincerely apologise for the inconvenience caused.
“Travelex continues to offer services to its customers on a manual basis and is continuing to provide alternative customer solutions in the interim.”
A forensic analysis of the incident is underway, and the firm is working to fully recover its systems. Some internal systems have been restored, but disruption still remains on the customer and partner-facing side. This is reportedly affecting services of other firms such as HSBC and Tesco Bank.
Travelex says it’s in discussions with the National Crime Agency (NCA) and the Metropolitan Police, who are each conducting their own investigations into the breach.
There’s doubt as to whether Travelex has approached the Information Commissioner’s Office (ICO), however, despite the potential for data theft. The incident could constitute a violation of the General Data Protection Act (GDPR), should the attackers claims to have made away with customer data prove to be true.
“Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people’s rights and freedoms,” an ICO spokesperson said.
“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.”
Principal security consultant and head of penetration testing at Bridwell Consulting, James Smith, told IT Pro that Travelex has handled the initial fallout badly. The company should also learn from this incident, as well as past incidents, and build these teachings into a proper cyber resilience plan.
“Transparency is key in maintaining customer trust, especially for firms like Travelex in the financial services industry,” Smith said.
“Travelex has taken a long time to inform customers about what’s taken place, and placing a press statement on the website days after the event simply isn’t enough.
“Financial services firms like Travelex have a responsibility to their customers to keep them informed even if no data has been lost. This is especially important in light of the 2018 breach the company suffered in which the personal details of 17,000 customers were exposed.”
Ransomware is highly common, with this particular form of attack blighting countless numbers of businesses routinely each year.
Many companies and professionals, meanwhile, believe that, actually, paying the ransom is often a cheaper and simpler way to secure data and restore systems.
A Canadian laboratory, for example, was advised in late 2019 to pay hackers in order to retrieve 85,000 stolen data records, despite this action being against the general consensus among security experts.
Asked whether Travelex should pay the ransom, Smith added there is a debate to be had, but the negatives always outweigh the positives.
“If you pay, in theory, you regain access to your data and systems and business can continue. However, there’s no guarantee you’ll actually get access restored.
“There’s also no guarantee that the data hasn’t been stolen already, before it was encrypted. This is happening more and more in the industry and the likelihood that the data will be sold or stored by the hacker is great.
“Then, of course, there are the wider ethical considerations about paying attackers who could use the money to fund other criminal enterprises.
“If organisations have the right plans in place, such as replicating their data, having off-site backups and segregated networks, for example, the likelihood of having to answer the “pay or not pay” question is greatly reduced.”