The foreign exchange company Travelex has confirmed the ongoing disruption to its services, which started on New Year's Eve, are being caused by a successful ransomware attack.
The outage, which has lasted more than a week, has caused chaos for customers and partners alike who rely on these systems to conduct transactions.
Travelex had previously pinned disruption on a "software virus", in a statement released three days after the attack. The firm confirmed in an updated statement, however, the incident was indeed caused by a ransomware attack.
Additional reports suggest the perpetrators are demanding millions of dollars in exchange for the return of customer data.
Travelex first detected that a virus had compromised its services on 31 December and took all of its systems offline as a precaution to prevent the malware from spreading across its network any further.
Following days of speculation and media reports, the firm has finally confirmed the "software virus" that hit their systems was the ransomware known as REvil, with the name Sodinokibi also sometimes used.
The attack was a success, and the group behind the attack has demanded a ransom to the tune of $6 million (approximately £4.6 million), according to BBC News.
The attackers also claim they have taken approximately 5GB of customer data, and will only return this should the ransom be paid in full. This data is claimed to comprise dates of birth, national insurance numbers as well as credit card information.
The company says it's taken steps to contain the spread of the ransomware, suggesting that although there has been some encryption, there remains no evidence that any customer data has been compromised.
Travelex also added in a statement that while it does not have a complete picture of all the data that has been encrypted, but "there is still no evidence to date any data has been exfiltrated".
These conflicting reports could suggest the attackers may be bluffing in claiming to have downloaded a cache of customer data. Many less well-resourced firms unable to conduct thorough assessments in the wake of such attacks, however, may deem these 'bluffs' as too risky to ignore, and pay any ransom demanded to secure safe return regardless.
"Our focus is on communicating directly with our partners and customers to protect them and their information from any further compromise," said Travelex chief executive Tony D'Souza.
"We take very seriously our responsibility to protect the privacy and security of our partner and customers' data as well as provide an excellent service to our customers and we sincerely apologise for the inconvenience caused.
"Travelex continues to offer services to its customers on a manual basis and is continuing to provide alternative customer solutions in the interim."
A forensic analysis of the incident is underway, and the firm is working to fully recover its systems. Some internal systems have been restored, but disruption still remains on the customer and partner-facing side. This is reportedly affecting services of other firms such as HSBC and Tesco Bank.
Travelex says it's in discussions with the National Crime Agency (NCA) and the Metropolitan Police, who are each conducting their own investigations into the breach.
RELATED RESOURCE
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacks
There's doubt as to whether Travelex has approached the Information Commissioner's Office (ICO), however, despite the potential for data theft. The incident could constitute a violation of the General Data Protection Act (GDPR), should the attackers claims to have made away with customer data prove to be true.
"Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people's rights and freedoms," an ICO spokesperson said.
"If an organisation decides that a breach doesn't need to be reported they should keep their own record of it, and be able to explain why it wasn't reported if necessary."
Principal security consultant and head of penetration testing at Bridewell Consulting, James Smith, told IT Pro that Travelex has handled the initial fallout badly. The company should also learn from this incident, as well as past incidents, and build these teachings into a proper cyber resilience plan.
"Transparency is key in maintaining customer trust, especially for firms like Travelex in the financial services industry," Smith said.
"Travelex has taken a long time to inform customers about what's taken place, and placing a press statement on the website days after the event simply isn't enough.
"Financial services firms like Travelex have a responsibility to their customers to keep them informed even if no data has been lost. This is especially important in light of the 2018 breach the company suffered in which the personal details of 17,000 customers were exposed."
Ransomware is highly common, with this particular form of attack blighting countless numbers of businesses routinely each year.
Many companies and professionals, meanwhile, believe that, actually, paying the ransom is often a cheaper and simpler way to secure data and restore systems.
A Canadian laboratory, for example, was advised in late 2019 to pay hackers in order to retrieve 85,000 stolen data records, despite this action being against the general consensus among security experts.
Asked whether Travelex should pay the ransom, Smith added there is a debate to be had, but the negatives always outweigh the positives.
RELATED RESOURCE
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacks
"If you pay, in theory, you regain access to your data and systems and business can continue. However, there's no guarantee you'll actually get access restored.
"There's also no guarantee that the data hasn't been stolen already, before it was encrypted. This is happening more and more in the industry and the likelihood that the data will be sold or stored by the hacker is great.
"Then, of course, there are the wider ethical considerations about paying attackers who could use the money to fund other criminal enterprises.
"If organisations have the right plans in place, such as replicating their data, having off-site backups and segregated networks, for example, the likelihood of having to answer the "pay or not pay" question is greatly reduced."
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million rewardNews The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attackNews The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalitiesNews The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
A notorious hacker group is ramping up cloud-based ransomware attacksNews The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Security researchers have just identified what could be the first ‘AI-powered’ ransomware strain – and it uses OpenAI’s gpt-oss-20b modelNews Using OpenAI's gpt-oss:20b model, ‘PromptLock’ generates malicious Lua scripts via the Ollama API.
-
Data I/O shuts down systems in wake of ransomware attack
News Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
-
Average ransom payment doubles in a single quarterNews Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new groupNews The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos
