Unhappy new data breach!

The new year was barely hours old, when news started leaking about a troubling new data breach – the result of a ransomware attack on a major currency exchange business.

Holiday makers, foreign exchange offices and airport currency services were all thrown into disarray in the first few days of the new decade, thanks to an audacious ransomware attack on currency exchange service operator Travelex.

For those caught up in the wake of the attack, it wasn’t the best start to the new year – especially for those holiday makers stranded abroad with no access to the currency they thought they had secured.

Held to ransom

For Travelex, the experience and its aftermath have been hugely costly. The hack was first discovered on December 31, 2019. The criminals behind the ransomware attack shut down the company’s systems and demanded a $6 million ransom payment.

If Travelex failed to pay up, the criminals threatened, they would begin releasing encrypted data they had captured from the company’s systems to sell it online. Furthermore, they would delete it from the company’s own systems.

With no access to their own systems, the company shut down the website – placing a holding message saying it was down for “routine maintenance” from New Year’s Day. Meanwhile, staff in its branches had to resort to using pen and paper to record transactions on over-the-counter services in order to complete customer transactions.

High street banks that use Travelex’s system were also affected; Royal Bank of Scotland, HSBC, Barclays and Lloyds were all amongst those finding they could not offer their customers online travel money services.

Travelex only went public with the attack on January 2, 2020. By then, it had asked the Metropolitan Police to investigate, but had still not informed the Information Commissioner’s Office (ICO). Under GDPR legislation, organisations affected by a data breach must inform ICO of the breach within 72 hours of its discovery.

The lag in discovery

Meanwhile, the criminals behind the attack released a statement to the BBC, claiming to have gained access to the company's computer network six months ago. They said they had downloaded 5GB of sensitive customer data, including dates of birth, credit card information and national insurance numbers.

The REvil/Sodinokibi group behind the attack, who were already known to investigators, said: “In the case of payment, we will delete and will not use that base and restore them the entire network… The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base.”

A ransomware expert at the cybersecurity company Emsisoft, Fabian Wosar, commented: “The REvil/Sodinokibi group has been a quite sophisticated group for a long time now. The quoted ransom demands are consistent for the gang's victims of Travelex's size. Stealing data essentially gives threat actors additional bargaining chips when it comes to dealing with companies unwilling to pay the ransom. The idea is to weaponise the hefty fines associated with GDPR violations to pressure the company into paying.”

A failure of customer service

While the full cost of the breach is yet to be understood, there were some immediate impacts on the share price of Travelex’s parent company.

Although Travelex said it did not anticipate any “material financial impact” for its owner, the Finablr Group based in Abu Dhabi, the New York Times reported that Finablr shares fell more than 15 percent on the London Stock Exchange after Travelex confirmed the attack.

The trust of Travelex customers has also been left shaken.

The Independent reported several days after the breach that “customers have complained online they are stranded in foreign countries without money that they put on Travelex ATM cards. They are all being told to simply wait until the company fixes its computer system, with no indication of when that might be.”

Customers are still awaiting resolution. Meanwhile, investigations by the police and authorities are ongoing. Commentators have made the point that this isn’t the first time Travelex has experienced security breaches and it has received warnings in the past – making the prospect of fines under GDPR more likely. Companies need to be able to demonstrate they are taking care of customer data.

What would you do in the event of a data breach?

In the press, the debate about whether or not to pay ransomware demands rumbled on. Many companies choose to – simply to restore systems and continue business. However, this puts greater resources in the hands of hackers – making the prospect of ever-more sophisticated attacks more likely.

Of course, it’s not just big businesses that are targeted – it’s generally on them that make the news, though. Increasingly, it’s small businesses targeted as they are much softer targets, often without the in-house expertise afforded enterprise business.

The best way to respond is, of course, to take preventative measures. Follow cyber-security essentials, close known security vulnerabilities, deploy proactive monitoring tools and be ready should a breach happen.

This means having a policy in place, so everyone knows how to respond. And, most importantly, have the appropriate backup system in place – so compromised systems can be restored.

If you would like help to prevent a data breach happening to your organisation or talk about IT Support in general, the Grant McGregor team can assist.

Contact us today on: 0808 16 4142.

Because if there is one thing we all know for sure, while Travelex might be the first victim of hackers in 2020, sadly they certainly won’t be the last…




see all