At the end of 2019, currency exchange firm Travelex found itself the victim of a ransomware attack. Cyber criminals locked Travelex out of its own files, and halted currency transactions across the UK, and demanded almost £5 million in exchange for the return of 5GB of stolen personal data.
Our Group IT Director, Mark Nutburn, takes a look at how this crime occurred, what the fallout might be, and what Travelex could have done to avoid falling prey to this attack.
Travelex is behind the currency exchanges of dozens of high street banks, including Lloyds, Barclays and Royal Bank of Scotland, as well as supermarkets Sainsbury’s and Tesco.
So when cyber criminals gained access to Travelex’s servers and encrypted its files, they halted currency exchanges across the UK.
In addition, they claimed to have gained access to 5GB of personal data held by the company. The criminals then promised to decrypt Travelex’s files and delete the personal data they claimed to have in exchange for £4.6 million. But how did Travelex find themselves the victim of this attack?
How Did Travelex Get Hacked?
When Travelex’s website went down, the company initially claimed it was due to planned maintenance. But after a few days, a picture had emerged of how a simple mistake had left the company vulnerable to attack.
The criminals made use of a vulnerability in the company’s Virtual Private Network (VPN), which was provided by Pulse Secure.
The vulnerability was particularly bad. It made it possible to access a vulnerable network without a valid username or password, switch off multi-factor authentication, and view logs and cached passwords in plain text. This gave cyber criminals the opportunity to attack Travelex with Sodinokibi ransomware, which allowed them to encrypt Travelex’s files so the company could not access them, as well as potentially copy personal data for thousands of its customers.
But while the vulnerability was catastrophic, the fault for the Travelex attack did not lie with the software; Pulse Secure had identified and patched the vulnerability in April 2019. The fault lay with Travelex itself: it had failed to apply the patch to its own servers, leaving itself unnecessarily vulnerable for over 8 months.
But aside from causing misery for travellers and damaging Travelex’s reputation, the attack has had far greater consequences for the company, with the potential for more on the horizon.
The Fallout of an Attack
Recovery costs
The attackers demanded £4.6 million in exchange for decrypting Travelex’s files and not releasing the personal data. While Travelex should be able to resume business without paying the ransom, such a course of action can remain costly. When Norwegian aluminium maker Norsk Hydro suffered a ransomware attack in March 2019, the company refused to pay the criminals, but recovery costs were estimated at $52 million.
GDPR fines
The criminals also threatened to release the personal data they claimed to have stolen if the ransom wasn’t paid. But while Travelex was quick to suggest that no personal data had been accessed, criminals who use the Sodinokibi ransomware typically exfiltrate a copy of personal data in case the company fails to pay the ransom. If it turns out that this is exactly what happened to Travelex, the company is unlikely to be treated kindly by the Information Commissioner’s Office.
That’s because Travelex did not report a potential data breach to the ICO. While Travelex was under no obligation to do so if it was confident that no data had been accessed, failing to follow the requirements set down by the General Data Protection Regulation (GDPR) for reporting data breaches might encourage the ICO to make an example of Travelex. This means Travelex could potentially face a fine of up to 4% of its annual global turnover.
Share price
And the financial impact is not limited to Travelex alone. The share price of companies that suffer a cyber attack often suffers, which is why it is unsurprising that Finablr Group, Travelex’s parent company, saw its shares drop nearly 6% in the week of the attack, wiping £192 million from its market value.
While it might be small comfort to Travelex now, there are ways it might have avoided this attack and the financial impact that followed. But other organisations can learn from Travelex’s mistake and protect themselves in the future.
How Could Travelex Have Avoided the Attack?
There was just one cause of the Travelex attack: a simple mistake. The patch for the software vulnerability that allowed the criminals access to Travelex’s systems had been patched more than six months prior to the attack. Had the patch been applied to Travelex’s servers, there would have been no attack.
Human error is understandable, but avoidable. It is easy for details to slip through the cracks, especially for large companies. But that just means it’s even more important to ensure that as many opportunities for mistakes are covered by training, policy, and system management.
Training
Awareness and training are just as vital as firewalls and encryption, and yet training often seems to be restricted to those at the head of organisations. 81% of directors, trustees, or senior management received cyber security training in 2019, compared to just 29% of staff. And this figure was only marginally better for staff whose roles included information security; just 36% of these individuals received cyber security training in 2019.
Ensure that everyone receives the appropriate level of training. Even employees who don’t obviously have access to customer databases need training to help ensure they are doing their part to maintain your organisation’s security.
A comprehensive data protection policy
Even if you believe that extensive cyber security training isn’t needed for the majority of your staff, it’s vital that you have a comprehensive data security policy. But over 25% of large firms do not have a formal policy covering cyber security risks, and this figure increases for smaller firms.
Clear policies provide employees with a resource to refer to when any uncertainty arises over data security. Policies that set out clear procedures to follow, clear responsibilities, and clear requirements mean that it is less likely that vulnerabilities such as the one Travelex suffered will go unnoticed.
An Information Security Management System
A comprehensive, systematic approach is vital when you’re trying to maintain the cyber security of a large organisation. After all, just one unpatched server can potentially compromise an entire network.
An Information Security Management System helps an organisation apply consistent and uniform processes across every aspect of the business, reducing the risk that a vulnerability will slip through the cracks.
By taking a risk-based approach to security, an ISMS will help you identify risks to the personal information you hold, determine the correct methods for mitigating or avoiding those risks, and can help you address many of the cyber security threats facing organisations, including the sort of mistakes that led to the attack on Travelex.
Many will lose out in the aftermath of the attack on Travelex, from employees to management, shareholders to customers. The real tragedy is that this loss was entirely avoidable. While a mistake is easy to make, ensuring that your organisation is set up to support employees with training and resources can ensure that mistakes are less likely. Hopefully, more organisations will take the steps listed above to protect themselves and ensure that they do not fall prey to the same attack as Travelex.
To find out more about information security, and how an ISMS can help protect your organisation from cyber crime, fill in the form below and download our free white paper, ‘The Invisible Digital Threat’.
