Incident Of The Week: Ransomware Hits Currency Dealer Travelex

Banks, Customers Impacted As Rash Of Attacks Occurs At End Of 2019

Add bookmark

Jeff Orr
01/17/2020

Currency Exchange

A New Year’s Eve ransomware attack on currency dealer and travel money services provider Travelex impacted more than persons traveling over the end-of-year holidays. Banks and partner institutions have widely reported service interruption from online currency orders.

Now, weeks after the attack was executed, services are slowing starting to come back online.

The London-headquartered Travelex took its websites offline once the attack was detected, posting a temporary message for users and partners. Lack of access to digital systems meant employees were required to continue business practices in person using pen and paper at 1,200 locations in more than 70 countries.

String Of Ransomware Attacks At End Of 2019

The specific attack is known as Sodinokibi or REvil. The City of New Orleans disclosed on December 13, 2019 that it had fallen victim to a ransomware attack and the mayor declared a state of emergency. And according to an AP report, New York’s Albany Airport Authority had a Christmas Day ransomware attack that encrypted operational files of employees. The Albany attack is believed to also been the same work of the threat actors behind the Travelex breach.

See Related: Enterprise Security Leaders Prepare For Nation State Cyber Attacks

The threat actors in the Travelex attack told the BBC they gained network access to the company six months ago and claim to have downloaded 5GB of sensitive company and customer data, including birthdates, payment card information and social security numbers.

The ransom demands $6 million in payment for return of the data. The information will be publicly disclosed if payment is not made, according to demands.

The company’s owner, Finablr, based in the United Arab Emirates, said earlier this month that it is not expecting a “material financial impact” from the cyber-attack. Early investigative findings by Travelex acknowledged some of its data had been encrypted, though there was no evidence that personal customer data had been breached.

See Related: Ransomware Aftershock: The Road To Recovery After A Cyber Data Hijack

Next Steps For Recovery

Travelex has not indicated whether or not it is negotiating with the hackers nor has it offered a timeframe for full service restoration, which has many customers frustrated over the breakdown in communications about outstanding transactions.

Organizations in the U.K. are obligated to file a data breach report with the Information Commissioner's Office (ICO) within 72 hours of detecting a data incident unless it does not pose a risk to personally identifiable information (PII). Non-qualifying incidents are expected to maintain their own records and be prepared to explain to the ICO why it was not reported.

With GDPR being enforced, a company failing to comply with data breach disclosure policies are subject to a maximum fine of 4% of its global turnover.

A joint investigation between the UK’s National Crime Agency and the Metropolitan Police is ongoing.

See Related: The Full “Incident Of The Week” Log on Cyber Security Hub

RECOMMENDED