Incident Of The Week: Ransomware Hits Currency Dealer Travelex
Banks, Customers Impacted As Rash Of Attacks Occurs At End Of 2019
A New Year’s Eve ransomware attack on currency dealer and travel money services provider Travelex impacted more than persons traveling over the end-of-year holidays. Banks and partner institutions have widely reported service interruption from online currency orders.
Now, weeks after the attack was executed, services are slowing starting to come back online.
The London-headquartered Travelex took its websites offline once the attack was detected, posting a temporary message for users and partners. Lack of access to digital systems meant employees were required to continue business practices in person using pen and paper at 1,200 locations in more than 70 countries.
String Of Ransomware Attacks At End Of 2019
The specific attack is known as Sodinokibi or REvil. The City of New Orleans disclosed on December 13, 2019 that it had fallen victim to a ransomware attack and the mayor declared a state of emergency. And according to an AP report, New York’s Albany Airport Authority had a Christmas Day ransomware attack that encrypted operational files of employees. The Albany attack is believed to also been the same work of the threat actors behind the Travelex breach.
The threat actors in the Travelex attack told the BBC they gained network access to the company six months ago and claim to have downloaded 5GB of sensitive company and customer data, including birthdates, payment card information and social security numbers.
The ransom demands $6 million in payment for return of the data. The information will be publicly disclosed if payment is not made, according to demands.
The company’s owner, Finablr, based in the United Arab Emirates, said earlier this month that it is not expecting a “material financial impact” from the cyber-attack. Early investigative findings by Travelex acknowledged some of its data had been encrypted, though there was no evidence that personal customer data had been breached.
Next Steps For Recovery
Travelex has not indicated whether or not it is negotiating with the hackers nor has it offered a timeframe for full service restoration, which has many customers frustrated over the breakdown in communications about outstanding transactions.
Organizations in the U.K. are obligated to file a data breach report with the Information Commissioner's Office (ICO) within 72 hours of detecting a data incident unless it does not pose a risk to personally identifiable information (PII). Non-qualifying incidents are expected to maintain their own records and be prepared to explain to the ICO why it was not reported.
With GDPR being enforced, a company failing to comply with data breach disclosure policies are subject to a maximum fine of 4% of its global turnover.
A joint investigation between the UK’s National Crime Agency and the Metropolitan Police is ongoing.