Response Comment: Travelex Foreign Currency Website STILL Down After 4 Days Following Cyber Attack

The Sun revealed that the Travelex website is still down, four days after a cyber attack on New Year’s Eve. The currency provider has taken down its site and app, leaving some customers struggling to access funds. The currency exchange provides services to several major banks including Sainsbury’s Bank, Asda, Barclays, HSBC and First Direct.
The Sun
HACK ATTACK Travelex foreign currency website STILL down after 4 days following cyber attack

Experts Comments

January 09, 2020
James Smith
Principal Security Consultant and Head of Penetration Testing
Bridewell Consulting
Transparency is key in maintaining customer trust, especially for firms like Travelex in the financial services industry. Travelex has taken a long time to inform customers about what’s taken place, and placing a press statement on the website days after the event simply isn’t enough. Financial services firms like Travelex have a responsibility to their customers to keep them informed even if no data has been lost. This is especially important in light of the 2018 breach the company.....Read More
Transparency is key in maintaining customer trust, especially for firms like Travelex in the financial services industry. Travelex has taken a long time to inform customers about what’s taken place, and placing a press statement on the website days after the event simply isn’t enough. Financial services firms like Travelex have a responsibility to their customers to keep them informed even if no data has been lost. This is especially important in light of the 2018 breach the company suffered in which the personal details of 17,000 customers were exposed. It’s important to learn from past incidents and build those learnings into a cyber response / resilience plan. Having the right processes in place are critical in being prepared for an attack. This includes technical aspects like replicating data, off-site backups, network segregation, firmware updates and even regular penetration testing. It also covers response — not just in fixing the issue, but in informing the wider business, the media, and most importantly customers. The first thing to learn from this is that all organisations are at risk because everyone has something of value to lose. Whether that’s access to systems, intellectual property or customer data. The second thing to learn is that having a plan in place to mitigate risk is essential. Prevent, detect, respond. Those are three key elements to live by and should cover everything from the business impact of an attack, technical considerations on how to prevent them, as well as how you’d respond to stakeholders in the event of an attack, customers, staff, the ICO, etc. Whether companies should pay the ransom always sparks debate — but the negatives always outweigh the positives. If you pay, in theory, you regain access to your data and systems and business can continue. However, there’s no guarantee you’ll actually get access restored. There’s also no guarantee that the data hasn’t been stolen already, before it was encrypted. This is happening more and more in the industry and the likelihood that the data will be sold or stored by the hacker is great. Then of course there are the wider ethical considerations about paying attackers who could use the money to fund other criminal enterprises. If organisations have the right plans in place, such as replicating their data, having off-site backups and segregated networks, for example, the likelihood of having to answer the “pay or not pay” question is greatly reduced.  Read Less
January 07, 2020
Tim Dunton
MD
Nimbus Hosting
Another large organisation has been hacked in a successful cyber attack on New Year's Day. The Travelex systems and website have now been shut down, and this of course leaves a large number of customers affected. There is no doubt that this creates frustration among customers, which can lead to a distrust and permanently damage a company's reputation. However, many businesses still do not acknowledge the importance of modern and regularly updated IT servers which are immune to cyber attacks or .....Read More
Another large organisation has been hacked in a successful cyber attack on New Year's Day. The Travelex systems and website have now been shut down, and this of course leaves a large number of customers affected. There is no doubt that this creates frustration among customers, which can lead to a distrust and permanently damage a company's reputation. However, many businesses still do not acknowledge the importance of modern and regularly updated IT servers which are immune to cyber attacks or potentially leaked information. When banks are involved, the severity of the issue is heightened and major problems are caused if customers are unable to access their accounts or funds. More should be done to ensure safe internet access, as well as a solid infrastructure that can not be attacked by cyber criminals, and this goes for all companies. It is about time that more importance is placed on delivering customers with simple tech that protects them, whilst providing the organisation with simple and stress-free options, to run their websites smoothly.  Read Less
January 15, 2020
Andrew Stark
Cyber Security Director
Red Mosquito
“There is no doubt that Travelex will be celebrated as a juicy scalp by the hackers and, any ransom associated with this attack is likely to be a significant sum. Ransomware attacks typically take advantage of a security vulnerability relating to Remote Desktop Protocol (RDP), commonly used to gain remote access to IT systems. Exposing RDP directly to the internet is not a recommended since it allows hackers to employ a technique known as a ‘brute force’ attack whereby an extensive list.....Read More
“There is no doubt that Travelex will be celebrated as a juicy scalp by the hackers and, any ransom associated with this attack is likely to be a significant sum. Ransomware attacks typically take advantage of a security vulnerability relating to Remote Desktop Protocol (RDP), commonly used to gain remote access to IT systems. Exposing RDP directly to the internet is not a recommended since it allows hackers to employ a technique known as a ‘brute force’ attack whereby an extensive list of commonly used usernames and passwords is used to guess login details and gain entry to a system. Once access is gained, valuable data (which may include customer details) can be compromised. In the case of Travelex, ransomware malware software has then been deployed leaving key data encrypted along with a simple ransom note. With a very strong encryption algorithm and no go to backup, there may be no option but to pay the ransom, however, even if paying the hackers gets their data back, Travelex will still have to contend with the difficult task of restoring and securing their IT systems. Regaining reputation and customer trust may be even harder.” Andrew Stark Cyber Security Director RedMosquito (https://www.redmosquito.co.uk/)  Read Less
January 09, 2020
Wicus Ross
Senior Researcher
SecureData
The fact that Travelex was compromised is unfortunate and slightly unsettling. It’s never good to hear that a large global financial business fell victim to a cyberattack. The technical details on the attack vector are thin, with some security experts suggesting that unpatched security products could have been the source of the initial breach. Vulnerability management is a crucial part of any business these days and priority should be given to update technology that cause the most impact when .....Read More
The fact that Travelex was compromised is unfortunate and slightly unsettling. It’s never good to hear that a large global financial business fell victim to a cyberattack. The technical details on the attack vector are thin, with some security experts suggesting that unpatched security products could have been the source of the initial breach. Vulnerability management is a crucial part of any business these days and priority should be given to update technology that cause the most impact when compromised. Another aspect of the Travelex incident is the lack of clear transparent communication. A week has passed since the incident occurred with very little public feedback to Travelex’s clients, suppliers, and stakeholders. This is in stark contrast to how Norsk Hydro handled their cyberattack incident. Granted, Norsk Hydro’s business is totally different to that of Travelex, but the way the company conducted itself during the matter is commendable and should be emulated. The larger more pressing matter is how Travelex decides to respond to the extortion demands. What is the moral and ethical impact if Travelex bends to the demands of the criminals? Even if the intention is to protect the affected clients, suppliers, and other stakeholders. By paying the £4.5 million ransom, does it really protect anyone? Perhaps in the short-term, but what is the societal and economic cost? Let us assume that Travelex has cyber insurance and the cost of the ransom payment is covered. Not only does this act incentivise future ransomware activity, it could also, as a natural response, lead to an inflation of future extortion demands. The real problem persists in the criminals and the industry around it, and the real source of the problems isn’t fully addressed. Compliance will be enforced resulting in the possibility of record fines, but as a society we will be worse off. Economically, the burden is increased because businesses will just pass on the cost to consumers, and more incentives will be created for hackers to find innovative new means of extortion. Could this have been handled better? How did we get here? This raises the point of security debt. Security debt is a concept that speaks to the known or unknown acceptance of security problems introduced through flaws in technology choices, policy choices, management failures, or ignorance. Security debt is latent. If acknowledged early and addressed soon, it limits any negative impact thus the risks are managed proactively. However, ignoring and accumulating security risks leads to an increase in security debt. This accrual of debt becomes a burden and must be paid when it becomes due. The debt is collected when a security incident happens, such as a data breach, because of some security weakness or flaw that has been exploited. Similar to most debt that goes unchecked, it can only be wiped clean through bankruptcy. Or, if lucky, can be made manageable through austerity. Someone will have to cough up be it consumers, employees, shareholders, the economy, or society.  Read Less
January 09, 2020
Becky Nicholson
Data Privacy Consultant
Bridewell Consulting
Following the Travelex ransomware attack, the company made the decision to take down its website, yet customers have not been directly informed if their personal data has been compromised. There are also conflicting reports on whether customer data has been lost. Travelex has certain obligations as a controller under Data Protection legislation. One of which is to report personal data breaches to the supervisory authority. It is important, however, to ascertain to whom the data belongs.....Read More
Following the Travelex ransomware attack, the company made the decision to take down its website, yet customers have not been directly informed if their personal data has been compromised. There are also conflicting reports on whether customer data has been lost. Travelex has certain obligations as a controller under Data Protection legislation. One of which is to report personal data breaches to the supervisory authority. It is important, however, to ascertain to whom the data belongs and where it is being processed, so as to determine the jurisdiction. It may be that the breach is covered by the General Data Protection Regulation (GDPR); if so, Travelex will need to assess if the breach needs to be reported to the supervisory authority and do so within 72 hours but also to the National Cyber Security Centre (NCSC). Travelex must also evaluate the likelihood of the breach resulting in a high risk to the rights and freedoms of the customers and inform them without “undue delay”. When assessing a risk to the rights and freedoms, it is important to focus on the potential negative consequences for the individual. This must be based on how serious or substantial they are and how likely they are to happen. Helpfully, when reporting a personal data breach to the UK’s regulator, the Information Commissioner’s Office (ICO), they will offer advice about whether the individuals involved need to be informed. There have also been reports that Travelex was recently warned about vulnerabilities in its virtual private network (VPN) servers. This may also have implications for the company as the GDPR imposes other obligations to implement appropriate technical and operational measures to ensure a level of security appropriate to the risk. This will include such things as regular penetration tests to check for such vulnerabilities.  Read Less
January 08, 2020
Jake Moore
Cybersecurity Specialist
ESET
Being forced to use pen and paper must feel more like 1920 than 2020. Furthermore, I wish I was saying that this Travelex attack could act as a guinea pig with the potential of what Ransomware can actually achieve but alas, it is by no means the first, nor will it be the last. The knock on effect from this particular attack is possibly the more poignant and interesting part of the story. Rarely do we see so many third parties affected or even knocked out by such a situation. As other banks.....Read More
Being forced to use pen and paper must feel more like 1920 than 2020. Furthermore, I wish I was saying that this Travelex attack could act as a guinea pig with the potential of what Ransomware can actually achieve but alas, it is by no means the first, nor will it be the last. The knock on effect from this particular attack is possibly the more poignant and interesting part of the story. Rarely do we see so many third parties affected or even knocked out by such a situation. As other banks have now had repercussions, it suggests that Travelex may not have tested a ransomware simulation which can be extremely valuable to a company. This attack simply echoes the importance of training in companies as well as having better policies in place to act upon the somewhat inevitable.  Read Less
January 08, 2020
Sam Curry
Chief Security Officer
Cybereason
Today, most companies have contingency plans and tools in place to deal with the ransomware threat. Because of these factors, many organisations feel like ransomware is now an understood and contained risk. However, that’s for the most part a false sense of security because most of the lack of recent ransomware outbreaks is due to the attackers using it differently, more surgically, if you will, not because defenders are stopping it better. The lifeblood of Travelex's business is undoubtedly .....Read More
Today, most companies have contingency plans and tools in place to deal with the ransomware threat. Because of these factors, many organisations feel like ransomware is now an understood and contained risk. However, that’s for the most part a false sense of security because most of the lack of recent ransomware outbreaks is due to the attackers using it differently, more surgically, if you will, not because defenders are stopping it better. The lifeblood of Travelex's business is undoubtedly its ability for partners and customers to have access to their online travel services, and every minute their systems are locked and offline their business is suffering. Details are scant at this time, but this is an early 2020 wake up call to all organisations to maintain regular and constant backups of important files and consistently verify that the backups can be restored. Organisations should also educate their employees on refraining from downloading pirated software or paid software offered for 'free,' as humans are the single biggest asset cyber criminals have in extorting money from businesses. Lastly, organisations should deploy advanced anti-ransomware technology to prevent the effective execution of ransomware and help to make cybercrime a less profitable and attractive business.  Read Less
January 08, 2020
Rachel Aldighieri
Managing Director
DMA
For most businesses, data is its most valuable asset so maintaining its security must be a business imperative. If there is any potential breach that puts consumers’ personal information at risk, customers must be informed promptly by clearly communicating how they could be affected and how the organisation intends to rectify the situation. Consumer trust in how organisations collect, store and use data is fundamental to a data-driven economy. Not only does trust help businesses to build.....Read More
For most businesses, data is its most valuable asset so maintaining its security must be a business imperative. If there is any potential breach that puts consumers’ personal information at risk, customers must be informed promptly by clearly communicating how they could be affected and how the organisation intends to rectify the situation. Consumer trust in how organisations collect, store and use data is fundamental to a data-driven economy. Not only does trust help businesses to build sustainable relationships with customers, it can influence consumers’ willingness to share data in the future.  Read Less
January 08, 2020
Adam Vincent
CEO
ThreatConnect
Financial institutions are a lucrative target – they hold highly sensitive information and have a mandate to protect the personal information of their customers. When faced with a ransomware attack, financial institutions have two choices – cave to demands or try and fight back. No company is immune from the dangers of being compromised. It’s essential that any potential target understands as much as they can about the threats they face. While financial services institutions.....Read More
Financial institutions are a lucrative target – they hold highly sensitive information and have a mandate to protect the personal information of their customers. When faced with a ransomware attack, financial institutions have two choices – cave to demands or try and fight back. No company is immune from the dangers of being compromised. It’s essential that any potential target understands as much as they can about the threats they face. While financial services institutions tend to operate with security front of mind, there is still an opportunity to collaborate more within the industry and increase intelligence sharing so they understand as much as they can about the threats they are facing. For example, what types or variants of malware have been used to steal, delete, or ransom personal identifiable information or IP specific to financial services? What ransomware has been used in attacks against other organisations within the industry? How does this ransomware work and how does it ransom the targeted data? Ultimately, the more you know, the better and quicker you’ll be able to respond to a new threat.  Read Less
January 08, 2020
David Emm
Principal Security Researcher
Kaspersky
The ongoing impact of this security breach serves as a stark reminder for businesses to adopt and maintain robust cybersecurity policies and procedures – given that sustained attacks of this nature seriously drain a company’s resources and profits, and the amount of work involved to get a company back up and running. Even if a company on the receiving end of a ransomware attack declines to pay a ransom, cleaning up its systems, restoring data and ensuring business continuity is an involved.....Read More
The ongoing impact of this security breach serves as a stark reminder for businesses to adopt and maintain robust cybersecurity policies and procedures – given that sustained attacks of this nature seriously drain a company’s resources and profits, and the amount of work involved to get a company back up and running. Even if a company on the receiving end of a ransomware attack declines to pay a ransom, cleaning up its systems, restoring data and ensuring business continuity is an involved and costly process. This development also poses the question: should companies ever pay a ransom to cybercriminals? Whilst the decision to pay to restore valuable data is entirely a decision for the victim, it is important to remember the following: you can never entirely trust cybercriminals to keep their end of the deal, and in paying large sums to them, you are helping to fund cybercrime and making ransomware a more lucrative business in the future.  Read Less
January 08, 2020
Stuart Reed
UK Director
Orange Cyberdefense
The ongoing attack against Travelex is arguably the worst case scenario for how crippling ransomware can be. Not only is Travelex itself affected, having to close its website across 30 countries for over a week. This attack has also brought much of its partner ecosystem - including HSBC, Barclays, Sainsbury's Bank, and Virgin Money - to a grinding halt. If there was ever any doubt that a cyber attack could have a significant effect on financial markets, this proves otherwise. Travelex has.....Read More
The ongoing attack against Travelex is arguably the worst case scenario for how crippling ransomware can be. Not only is Travelex itself affected, having to close its website across 30 countries for over a week. This attack has also brought much of its partner ecosystem - including HSBC, Barclays, Sainsbury's Bank, and Virgin Money - to a grinding halt. If there was ever any doubt that a cyber attack could have a significant effect on financial markets, this proves otherwise. Travelex has faced criticism for its public acknowledgement of the attack, with its website initially reporting that it was down for ‘planned maintenance’ and reportedly it was also made aware that it was running vulnerable services in September by a security researcher and the NCSC. This latest ransomware attack should serve as a reminder to other organisations that it needs to be vigilant with patching and ensure that there is a layered approach to security, able to identify and remove malicious actors from the network quickly and effectively, so that it can seamlessly restore systems with confidence. Travelex's continuing struggle to secure its data against the virus demonstrates just how dangerous this vulnerability is.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.