Travelex, one of the UK’s largest providers of foreign currency, has fallen victim to a malicious cyber-attack with potentially dire consequences for its customers. As a result, the company has taken its websites off line across 30 countries to “contain the virus and protect data”.
The hackers – a ransomware gang called Sodinokibi, also known as REvil – carried out the attack on New Year’s eve claiming to have first gained access to the company’s computer network six months ago. Since then the perpetrators are claiming to have downloaded 5 gigabytes of sensitive customer data and have demanded a ransom of £4.6 million from Travelex to decrypt the data, which it says – contrary to Travelex – includes personal data, payment card information and national insurance numbers.
The hackers said:
“In the case of payment, we will delete and will not use that [data]base and restore them the entire network. The deadline for doubling the payment is two days. Then another seven days and the sale of the entire [data]base.”
Travelex, who are now in discussions with the Metropolitan Police and the National Crime Agency and a team of external cybersecurity experts, has insisted there is no evidence any personal customer data has been encrypted or stolen but admitted that it doesn’t have a ‘complete picture’ of all data that has been affected.
Dave Taylor, managing director of Stockport based Amshire IT Soloutions, experts in Cyber security, explained how this breach is likely to have occurred:
“It looks as though this breach might have come from a security vulnerability that is rated as critical which was patched back in April 2019. This vulnerability allows people without valid usernames and passwords to gain access to the network. On reviewing previous ransomware infections before the patch was released, analysts discovered the systems that were breached used the same vulnerability to access the network, gain administrative access to the Servers, endpoint security tools were disabled and then the ransomware was pushed out to all the machines.
“If the Travelex breach is confirmed to be due to this breach they will have to answer some very difficult questions, after all the critical patch has been available for 8 months!”
However caused, an attack of this nature is a breach of the laws surrounding Data Protection.
The Information Commissioner’s Office has stressed that organisations must notify the ICO within 72 hours of any personal data breach:
“If an organisation decides a breach doesn’t need to be reported, they should keep their own record of it and be able to explain why it wasn’t reported if necessary,” the ICO added.
However, under General Data Protection Regulation, a company that fails to comply with ICO can face a maximum fine of 4% of its global turnover.
While the Travelex website has been taken offline, a statement on the holding page said:
“We’re sorry but our online travel money service isn’t available right now. This is a result of a software virus. On discovering the virus, and as a part of a precautionary measure, Travelex immediately took all its systems offline to prevent the spread of the virus further across the network.”
The statement went on to say that the investigation is ongoing and that the virus has been contained.
However, this has to be the ultimate in ‘closing the stable door after the horse has bolted’ or ‘shutting down the website after a diamond data heist’.
Ethical hackers are often employed by many organisations to carry out the most rigorous testing to ensure that all possible steps have been taken to protect an organisation’s systems and data.
Ethical hacking is used to find holes in security which, could mitigate risk to sensitive data and save a company’s reputation.
So what steps should be taken to avoid any such hacks and ransomware attacks by other companies in the future?
Dave explained that there are steps companies should consider to avoid such devastating attacks in the future:
“In order to help reduce your risk you should consider the following:-
- Audit your IT infrastructure on a regular basis. This will help identify what changes have been done and therefore make sure who is responsible for them.
- Make sure that all systems are being patched on a regular basis. This doesn’t just mean Windows Updates. This is for all your devices such as Firewall’s Switches and Printers. For those systems that are hosted on the edge this is even more critical as they are the gateway into your network.
- All Internet traffic should be filtered and policies applied to traffic. This allows you to block traffic to known Malware, Botnet or Suspicious sites as well as controlling sites that Users use.
- Multi Factor Authentication (MFA) should be deployed where systems are available outside of the internal network, such as Remote Working using VPN’s and access to Email. For those Users that don’t need remote access make sure that it’s not enabled.
- Passwords and Password Managers. Making sure that passwords are suitable and easy for the Users to remember. When combined with MFA this is provides better security over a really complex password which has to be written down to be remembered. Using multiple words or a phrase as the password is better than “Pa55W0rd!” which is a complex password but is easy to guess.
- Backups and Disaster Recovery solutions in place for when you have a breach. It doesn’t have to be a ransomware breach; it could be someone knowingly or unknowingly deleted an important file(s) or folder(s). Backups should be stored Off-Site and not connected to your internal network. Once your system has been breached, hacker have been known to spend weeks looking around the system before initiating their attack.
- Review your Cyber Insurance Policy. Having the right cover in place can help with the costs associated with investigation work, recover of data, restoration of services, loss of income, reputation management and notification costs.
The Travelex systems remain on full shutdown and staff are resorting to pen and paper to deal with customers but customers may also get in touch via the Travelex Facebook page
What may also come a surprise is that Ransomware is not new: the first case of Ransomware was reported in 1989 when attackers broke in, gathered and stole data, issued ransomware, exposed vulnerabilities in the company’s security and damaged a respected reputation.