Travelex Is Being Ransom By Hackers; Website Down One-Week After Cyberattack

Global currency exchange giant, Travelex is being held to ransom by cybercriminals, according to a recent BBC report stating that a hacking collective is demanding USD $6 million in exchange for handing over control of the site. 

“A ransomware gang called Sodinokibi has told the BBC it is behind the hack and wants Travelex to pay $6 million (￡4.6m),” the report says. “The gang, also known as REvil, claims to have gained access to the company’s computer network six months ago and have downloaded 5GB of sensitive customer data.” 

The data those hackers accessed, according to reports includes dates of birth, credit card information and national insurance numbers, amongst other sensitive information. 

“In the case of payment,” the hackers said, “we will delete and will not use that [data]base and restore them the entire network. The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base.” 

In addition to the ransomware revelation, up to thirty domains of global currency exchange service, Travelex remain offline one week after a “software virus” hit its UK domain on New Year’s Eve. 

As of publishing, Travelex’s UK domain remains inaccessible, stating that the website is down for “planned maintenance.” According to InfoSecurity Magazine, “however, a notice posted to Twitter and the firm’s dot-com site reveals a different story- that a ‘software virus’ discovered last Tuesday has ‘compromised some of its services.’ 

A spokesperson from the Information Commissioner’s Office (ICO) has said that Travelex has not submitted a formal data breach report to the commission. “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people’s rights and freedoms,” they said. 

“If an organistion decides that a breach doesn’t need to be reported, they should keep their own record of it and be able to explain why it wasn’t reported if necessary.” 

GDPR regulations stipulate that a company is liable for a maximum fine of 4% of its global turnover in the wake of a non-compliance. 

“Travelex says it is working with police and has deployed teams of IT specialists and external cyber-security experts who have been working continuously,” according to the BBC. 

Travelex, which is headquartered in London is the self-described “world’s leading foreign exchange specialist,” operates in airports, online and physical shops around the globe, and supports a number of related financial services. The company has stated that its physical branches remain unaffected by the reported data breach, and that customer data remains secure. 

“Stealing data essentially gives threat actors additional bargaining chips when it comes to dealing with companies unwilling to pay the ransom. The idea is to weaponise heavy fines associated with GDPR violations to pressure the company into paying.” 

The company’s public response over the past week made no mention of a severe cyberattack or ransomware attack, with some like security researcher Kevin Beaumont calling the response “shockingly bad.” 

“The public response from Travelex has been shockingly bad,” he said, adding that “the Travelex UK website still only says ‘planned maintenance’, a week after the problems began- many customers will be completely unaware hackers gained access to their network, and allegedly their personal data.” 

“Travelex have a responsibility to clearly communicate with customers and business partners the gravity of the situation,” he said. 

“As a precautionary measure in order to protect data and prevent the spread of the virus, we immediately took all our systems offline. Our investigation to date shows no indication that any personal or customer data has been compromised,” Travelex said in a statement.

The London Metropolitan Police have also issued a statement as it leads the investigation into the attack. “On Thursday, 2 January, the Met’s Cyber Crime Team were contacted with regards to a reported ransomware attack involving a foreign currency exchange. Inquiries into the circumstances are ongoing,” they said. 

The BBC’s report quotes Fabian Wosar, a ransomware expert with cybersecurity company, Emsisoft, who says that the attack has all the signs of a legitimate REvil gang attack. “With what we know about the incident and that hackers mode of operation in the past paints a consistent picture, which leads me to believe that REvil indeed hit Travelex.” 

“The REvil/Sodinokibi group has been quite a sophisticated group for a long time now. The quoted ransom demands are consistent for the gang’s victims of Travelex’s size,” he said.

“Stealing data essentially gives threat actors additional bargaining chips when it comes to dealing with companies unwilling to pay the ransom. The idea is to weaponise heavy fines associated with GDPR violations to pressure the company into paying.” 

“Having a well-tested resilience plan in place that covers the technical aspects, communication with the public and clear responsibilities for handling incidents can ultimately make a difference between a costly response and maintaining customer trust,” Iain Kothari-Johnson, financial services lead for cybersecurity at Fujitsu UK said. 

“Break-glass incident response services, where experts are on-hand to rapidly investigate and mitigate threats, can also help reduce the financial and reputational impact of this type of incident and should be considered as part of any good resilience plan,” he added.