Travelex have been experiencing an outage of it’s systems since reporting a cyber attack that has crippled services since News Year’s Eve. A ransomware gang called “Sodinokibi” claimed responsibility for the attack on the currency exchange business, encrypting and blocking sensitive customer data. They have demanded a $6 million (£4.6 million) payment or it would delete the data from the Travelex network and release the information into the public domain.
The 5GB worth of customers’ personal data includes social security numbers, dates of birth and payment card details. The hacker group have promised to restore Travelex’s systems and delete their copy if the ransom was paid.
What is a Ransomware Attack?
Ransomware is malware that encrypts the victim’s files and demands a ransom for the decryption key, which can range from a few hundred to several million. The attackers will usually threaten to share the files publicly if the ransom isn’t paid (a variation called leakware or doxware).
Organisations can experience a halt to day-to-day operations as essential systems are often targeted. It’s a ticking clock to assess what files have been encrypted, the cost of recovering systems back to normal versus paying the ransom, with no guarantee the decryption key will be provided.
What is the Impact?
The hack came at a critical time over the Christmas holidays and not only affected the Travelex website and their outlets across the globe, but a number of partner retailers and banks such as Sainsburys, Tesco, Virgin Money, HSBC, Barclays and Royal Bank of Scotland.
Staff have resorted to using pen and paper to write invoices and fulfil customer orders.
Shares in Travelex’s parent company, Finablr, fell 17%, and at time of writing have yet to recover.
Travelex, however, are denying that any information has been comprised and have since been restoring some functionality to their services. Additionally, the Information Commissioner’s Office confirmed Travelex had still not reported a data breach. A spokesman said:
“We are in contact with Travelex and giving advice on potential personal data issues following the recent ransomware attack. The company has not reported a data breach. If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it and be able to explain why it wasn’t reported if necessary. Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people’s rights and freedoms.”
Tony D’Souza, chief executive at Travelex explained:
“We are now at the point where we are able to start restoring functionality in our partner and customer services and will be giving our partners additional detail on what that will look like during the course of this week.”
Customer and Industry Response
Customers have been frustrated with the lack of communication and transparency from Travelex, unsure of whether orders had gone through or if their personal and finance information had been stolen. Some data-breach experts have also criticised Travelex for their poor computer system security. Aman Johal, director of Your Lawyers, a consumer law firm specialising in data breaches comments:
“This is not the first cybersecurity incident to hit Travelex, It is disturbing to see yet another attack, and reports that Travelex waited eight months to fix critical flaws in its security systems and VPN function is concerning.
How Can You Protect Your Business from a Ransomware Attack?
There are several steps you can take to ensure your organisation is protected:
- Limiting the sensitivity and ‘value’ of data stored within your corporate network will reduce your likelihood of becoming a target. Attackers are looking to infiltrate organisations that either have holes in their IT security, would face huge public backlash or regulatory fines if they were compromised.
If you are storing credit and debit card payment data in full or on call recording audio files, you should consider taking the details “out of scope” and away from your network. Becoming PCI-DSS compliant or investing in PCI-DSS compliant payment systems will dramatically reduce your risk of a data breach.
Want to know more? Read Our PCI-DSS Guide - Keep antivirus applications, operating systems and software up to date with the latest security patches. This will reduce the likelihood of attackers exploiting a vulnerability and gain access to your network.
- Backing up your files on a regular basis won’t stop an attack, but it will reduce the impact if you did have to recover files and systems to avoid downtime.
- Educate your staff about malware attacks, the dangers of opening suspicious attachments and increase IT security awareness. This will put less strain on your anti-virus and security software.
Talk to Key IVR if you’d like to know more about protecting sensitive payment data and reducing the impact of a data breach. Email sales@keyivr.com or call +44 (0) 1302 513 000