On New Year’s Eve, foreign exchange provider Travelex was hit by a devastating ransomware attack, which weeks later is far from resolved. There is no doubt, however, that the repercussions will continue for many months, and may incur high costs for the business along with reputational damage and possible regulatory action.
Travelex was affected by Sodinokibi, a software virus that targets Windows systems and encrypts files. Reports say a ransom of some £4.6 million was demanded, but Travelex has not stated whether it has in fact paid this. The criminals have said they will release 5GB of customer data, which includes social security numbers, dates of birth and card payment information. Payment of the ransom would apparently lead to vulnerable database being deleted and the company’s network restored.
What went wrong?
Details are still emerging, but it is understood the company’s virtual private network servers that provided staff with remote access to central computers were unpatched and this made it more vulnerable. Some security experts have said the company should have taken action months ago to prevent such an attack.
The business has a presence in around 70 countries, over 1200 branches and some 1000 ATMs worldwide and the attack meant that Travelex was forced to take down its global website. Although it was able to continue trading to some extent, staff were required to resort to pen and paper for branch transactions while trading was offline. It is understood the police were informed on 2 January and the Metropolitan Police is leading the investigation. However, the Information Commissioner’s Office (ICO) has to date, said it was not informed about any potential breach.
Travelex has stated it does not believe any of its data has been breached and this may be why it did not notify the ICO. Even so, under the General Data Protection Regulation (GDPR), there is a requirement to report any data breaches within 72 hours. The consequences of not doing so could lead to the company staring down a large fine, with the maximum penalty equivalent to €20 million or 4% of global annual turnover (whichever is higher).
It would appear that behind the scenes, the ICO will be looking closely at what has happened and the Financial Conduct Authority, has also said it is in contact with the firm to ensure fair treatment of customers.
Even so, Travelex has clearly taken action to rectify matters, explaining it has brought in teams of cyber security experts to sort out the IT problems. The case also shows how damaging such an attack can be on third-party business relationships as well as consumer goodwill. Travelex provided services for major banks such as Lloyds, Barclays and Royal Bank of Scotland, Tesco Bank, Sainsbury's Bank, Virgin Money and First Direct with these companies also being left affected from online foreign exchange services being taken down temporarily.
Meanwhile, chief executive Tony D’Souza has apologised to customers, with the company offering those affected with advice on getting refunds, as well as other information via global support desks and social media. Despite this however, there have been complaints that not enough is being done, with media stories surfacing of customers not receiving currency they had ordered online.
Further comments have also been made stating that Travelex was not quick enough to explain what had happened, with messages on its site not being transparent, stating it was down for “planned maintenance” rather than admitting to the cyber attack. The firm is said to have appointed global public affairs firm Brunswick to help manage the ongoing communications crisis.
Any IT outage can be costly for a business and this is certainly one on a grand scale. So, while it is reported that Travelex had cyber security insurance in place, this is unlikely to meet all the costs incurred. And although Travelex’s Abu Dhabi-based parent company, Finablr, has played down any financial impact, there has been a fall in share price and a sell off by some investors.
The first big cyber attack of 2020 shows only too clearly how companies like Travelex can hit the headlines for all the wrong reasons.
The risk of high impact cyber-related breaches continues to be a high on the agenda of organisations working across the financial services sector. Our white paper gives you some suggestions as to the type of metrics you may want to measure as part of your cyber risk programme.