The Sun revealed that the Travelex website is still down, four days after a cyber attack on New Year’s Eve. The currency provider has taken down its site and app, leaving some customers struggling to access funds. The currency exchange provides services to several major banks including Sainsbury’s Bank, Asda, Barclays, HSBC and First Direct.
The Sun
HACK ATTACK Travelex foreign currency website STILL down after 4 days following cyber attack
“There is no doubt that Travelex will be celebrated as a juicy scalp by the hackers and, any ransom associated with this attack is likely to be a significant sum. Ransomware attacks typically take advantage of a security vulnerability relating to Remote Desktop Protocol (RDP), commonly used to gain remote access to IT systems. Exposing RDP directly to the internet is not a recommended since it allows hackers to employ a technique known as a ‘brute force’ attack whereby an extensive list of commonly used usernames and passwords is used to guess login details and gain entry to a system. Once access is gained, valuable data (which may include customer details) can be compromised. In the case of Travelex, ransomware malware software has then been deployed leaving key data encrypted along with a simple ransom note. With a very strong encryption algorithm and no go to backup, there may be no option but to pay the ransom, however, even if paying the hackers gets their data back, Travelex will still have to contend with the difficult task of restoring and securing their IT systems. Regaining reputation and customer trust may be even harder.”
Andrew Stark
Cyber Security Director
RedMosquito (https://www.redmosquito.co.uk/)
The fact that Travelex was compromised is unfortunate and slightly unsettling. It’s never good to hear that a large global financial business fell victim to a cyberattack. The technical details on the attack vector are thin, with some security experts suggesting that unpatched security products could have been the source of the initial breach. Vulnerability management is a crucial part of any business these days and priority should be given to update technology that cause the most impact when compromised.
Another aspect of the Travelex incident is the lack of clear transparent communication. A week has passed since the incident occurred with very little public feedback to Travelex’s clients, suppliers, and stakeholders. This is in stark contrast to how Norsk Hydro handled their cyberattack incident. Granted, Norsk Hydro’s business is totally different to that of Travelex, but the way the company conducted itself during the matter is commendable and should be emulated.
The larger more pressing matter is how Travelex decides to respond to the extortion demands. What is the moral and ethical impact if Travelex bends to the demands of the criminals? Even if the intention is to protect the affected clients, suppliers, and other stakeholders. By paying the £4.5 million ransom, does it really protect anyone? Perhaps in the short-term, but what is the societal and economic cost?
Let us assume that Travelex has cyber insurance and the cost of the ransom payment is covered. Not only does this act incentivise future ransomware activity, it could also, as a natural response, lead to an inflation of future extortion demands. The real problem persists in the criminals and the industry around it, and the real source of the problems isn’t fully addressed. Compliance will be enforced resulting in the possibility of record fines, but as a society we will be worse off. Economically, the burden is increased because businesses will just pass on the cost to consumers, and more incentives will be created for hackers to find innovative new means of extortion.
Could this have been handled better? How did we get here? This raises the point of security debt. Security debt is a concept that speaks to the known or unknown acceptance of security problems introduced through flaws in technology choices, policy choices, management failures, or ignorance. Security debt is latent. If acknowledged early and addressed soon, it limits any negative impact thus the risks are managed proactively. However, ignoring and accumulating security risks leads to an increase in security debt. This accrual of debt becomes a burden and must be paid when it becomes due. The debt is collected when a security incident happens, such as a data breach, because of some security weakness or flaw that has been exploited. Similar to most debt that goes unchecked, it can only be wiped clean through bankruptcy. Or, if lucky, can be made manageable through austerity. Someone will have to cough up be it consumers, employees, shareholders, the economy, or society.
Following the Travelex ransomware attack, the company made the decision to take down its website, yet customers have not been directly informed if their personal data has been compromised.
There are also conflicting reports on whether customer data has been lost.
Travelex has certain obligations as a controller under Data Protection legislation. One of which is to report personal data breaches to the supervisory authority. It is important, however, to ascertain to whom the data belongs and where it is being processed, so as to determine the jurisdiction.
It may be that the breach is covered by the General Data Protection Regulation (GDPR); if so, Travelex will need to assess if the breach needs to be reported to the supervisory authority and do so within 72 hours but also to the National Cyber Security Centre (NCSC).
Travelex must also evaluate the likelihood of the breach resulting in a high risk to the rights and freedoms of the customers and inform them without “undue delay”. When assessing a risk to the rights and freedoms, it is important to focus on the potential negative consequences for the individual. This must be based on how serious or substantial they are and how likely they are to happen. Helpfully, when reporting a personal data breach to the UK’s regulator, the Information Commissioner’s Office (ICO), they will offer advice about whether the individuals involved need to be informed.
There have also been reports that Travelex was recently warned about vulnerabilities in its virtual private network (VPN) servers. This may also have implications for the company as the GDPR imposes other obligations to implement appropriate technical and operational measures to ensure a level of security appropriate to the risk. This will include such things as regular penetration tests to check for such vulnerabilities.
Transparency is key in maintaining customer trust, especially for firms like Travelex in the financial services industry.
Travelex has taken a long time to inform customers about what’s taken place, and placing a press statement on the website days after the event simply isn’t enough. Financial services firms like Travelex have a responsibility to their customers to keep them informed even if no data has been lost. This is especially important in light of the 2018 breach the company suffered in which the personal details of 17,000 customers were exposed.
It’s important to learn from past incidents and build those learnings into a cyber response / resilience plan. Having the right processes in place are critical in being prepared for an attack. This includes technical aspects like replicating data, off-site backups, network segregation, firmware updates and even regular penetration testing. It also covers response — not just in fixing the issue, but in informing the wider business, the media, and most importantly customers.
The first thing to learn from this is that all organisations are at risk because everyone has something of value to lose. Whether that’s access to systems, intellectual property or customer data.
The second thing to learn is that having a plan in place to mitigate risk is essential. Prevent, detect, respond. Those are three key elements to live by and should cover everything from the business impact of an attack, technical considerations on how to prevent them, as well as how you’d respond to stakeholders in the event of an attack, customers, staff, the ICO, etc.
Whether companies should pay the ransom always sparks debate — but the negatives always outweigh the positives. If you pay, in theory, you regain access to your data and systems and business can continue. However, there’s no guarantee you’ll actually get access restored. There’s also no guarantee that the data hasn’t been stolen already, before it was encrypted. This is happening more and more in the industry and the likelihood that the data will be sold or stored by the hacker is great. Then of course there are the wider ethical considerations about paying attackers who could use the money to fund other criminal enterprises.
If organisations have the right plans in place, such as replicating their data, having off-site backups and segregated networks, for example, the likelihood of having to answer the “pay or not pay” question is greatly reduced.
Being forced to use pen and paper must feel more like 1920 than 2020. Furthermore, I wish I was saying that this Travelex attack could act as a guinea pig with the potential of what Ransomware can actually achieve but alas, it is by no means the first, nor will it be the last.
The knock on effect from this particular attack is possibly the more poignant and interesting part of the story. Rarely do we see so many third parties affected or even knocked out by such a situation. As other banks have now had repercussions, it suggests that Travelex may not have tested a ransomware simulation which can be extremely valuable to a company.
This attack simply echoes the importance of training in companies as well as having better policies in place to act upon the somewhat inevitable.