Foreign exchange company, Travelex is continuing to be held to ransom by hackers, after a cyber-attack forced the firm to revert back to pen and paper, rather than using its computer systems.
The attack was launched on New Year’s Eve, according to reports, and the company has since taken down its websites across 30 countries, in an attempt to “contain the virus and protect data”.
According to the BBC, the ransomware gang claimed to be behind the attack is called Sodinokibi, who have called for the firm to pay £4.6m, having downloaded vast numbers of sensitive customer data, which includes dates of birth, credit card information and national insurance numbers.
According to current reports, no data has yet been released, whilst the Information Commissioner’s Office have declared that it has not received a data breach report from Travelex.
The Metropolitan Police is leading the investigation into the attack, stating: “On Thursday 2nd January, the Met’s Cyber Crime Team were contacted with regards to a reported ransomware attack involving a foreign currency exchange. Inquiries into the circumstances are ongoing.”
The police, IT specialists and external cyber security specialists are all currently supporting the company in an attempt to find a solution to the breach.
Following the release of the news, a number of high street banks have stopped customers ordering foreign currency, including Lloyds, Barclays and Royal Bank of Scotland.
IFSEC Global has received comment from cyber security specialists, with responses so far below.
James Smith, Principal Security Consultant and Head of Penetration Testing at Bridewell Consulting, comments: “Transparency is key in maintaining customer trust, especially for firms like Travelex in the financial services industry
“Travelex has taken a long time to inform customers about what’s taken place, and placing a press statement on the website days after the event simply isn’t enough. Financial services firms like Travelex have a responsibility to their customers to keep them informed even if no data has been lost. This is especially important in light of the 2018 breach the company suffered in which the personal details of 17,000 customers were exposed.”
“It’s important to learn from past incidents and build those learnings into a cyber response / resilience plan. Having the right processes in place are critical in being prepared for an attack. This includes technical aspects like replicating data, off-site backups, network segregation, firmware updates and even regular penetration testing. It also covers response — not just in fixing the issue, but in informing the wider business, the media, and most importantly customers.”
“The first thing to learn from this is that all organisations are at risk because everyone has something of value to lose. Whether that’s access to systems, intellectual property or customer data.
“The second thing to learn is that having a plan in place to mitigate risk is essential. Prevent, detect, respond. Those are three key elements to live by and should cover everything from the business impact of an attack, technical considerations on how to prevent them, as well as how you’d respond to stakeholders in the event of an attack, customers, staff, the ICO, etc.”
“Whether companies should pay the ransom always sparks debate — but the negatives always outweigh the positives. If you pay, in theory, you regain access to your data and systems and business can continue. However, there’s no guarantee you’ll actually get access restored. There’s also no guarantee that the data hasn’t been stolen already, before it was encrypted. This is happening more and more in the industry and the likelihood that the data will be sold or stored by the hacker is great. Then of course there are the wider ethical considerations about paying attackers who could use the money to fund other criminal enterprises.”
Becky Nicholson, Data Privacy Consultant at Bridewell Consulting, added: “Travelex has certain obligations as a controller under Data Protection legislation. One of which is to report personal data breaches to the supervisory authority. It is important, however, to ascertain to whom the data belongs and where it is being processed, so as to determine the jurisdiction.
“It may be that the breach is covered by the General Data Protection Regulation (GDPR); if so, Travelex will need to assess if the breach needs to be reported to the supervisory authority and do so within 72 hours but also to the National Cyber Security Centre (NCSC).
“Travelex must also evaluate the likelihood of the breach resulting in a high risk to the rights and freedoms of the customers and inform them without “undue delay”. When assessing a risk to the rights and freedoms, it is important to focus on the potential negative consequences for the individual. This must be based on how serious or substantial they are and how likely they are to happen. Helpfully, when reporting a personal data breach to the UK’s regulator, the Information Commissioner’s Office (ICO), they will offer advice about whether the individuals involved need to be informed.
“There have also been reports that Travelex was recently warned about vulnerabilities in its virtual private network (VPN) servers. This may also have implications for the company as the GDPR imposes other obligations to implement appropriate technical and operational measures to ensure a level of security appropriate to the risk. This will include such things as regular penetration tests to check for such vulnerabilities.”
Jérôme Robert, Director at Alsid, has said: “We know that the Sodinokibi ransomware is to blame, but beyond that it would be wrong to speculate too much on the anatomy of the attack. What we do know is that whenever there is a sophisticated, large-scale cyber event involving ransomware or large enterprises, we can be confident that Active Directory played a significant role. Hacking into the Active Directory can take less than 20 minutes, and most Active Directory infrastructures are basically open goals for a sophisticated attacker. Gaining access enables an attacker to navigate a large company like Travelex to extract information or corrupt a whole network via lateral movement across endpoints and accounts using the Active Directory.
“The bad news for Travelex is that while this attack rumbles on, its problems are probably only just beginning. Hopefully it will manage to contain the threat by working with the specialists it has called in, but even then there is the question around payment of the ransom… If that data is exposed by the hackers, Travelex can expect an ICO investigation and (sound the GDPR klaxon) a potential large fine. Danish company Demant recently suffered a ransomware attack and cited an estimated $95m in resulting costs, which shows the massive cost of these types of cyber-attacks. Set against these types of costs, protecting the Active Directory is an essential measure in the ongoing fight against increasingly sophisticated ransomware threats.”
Free Download: Cybersecurity and physical security systems: how to implement best practices
Discover the five-step process for strengthening your cyber and physical security systems with this free resource from Vanderbilt. Learn how to choose the right equipment to stay diligent and protect your systems against cyberattack, and learn what cyberattacks mean in an interconnected world.
The post Travelex hit by cyber-attack appeared first on IFSEC Global | Security and Fire News and Resources.