World’s Largest Currency Exchanger Hostage to Data Hack
The year started to the news that UK’s Travelex has been hit by ransomware, crippling the money transferer.
2019 has been a record-breaking year for those committed to stealing data. Juniper Research, for example, has estimated the damage done from hacking globally at $2 trillion. This amount is likely to grow to $6 trillion by 2021. This, of course, is only for the cybercrimes that are reported; it is estimated that only 10% to 12% of all cybercrime goes reported in the United States.
The first major cybercrime of the year is kicking 2020 off to a rousing start. UK financial service provider Travelex has been hit with a $6 million ransom, crippling the world’s largest currency exchange network as of New Year’s Eve.
This has created a problem for Travelex customers who have placed conversion orders while abroad. Travelex offers white label services for several brands, including Virgin Money, Tesco Bank, First Direct, and Sainsbury’s Bank. With the hackers threatening to release 5GB of customers’ personally identifiable information, including credit card information, dates of birth, and Social Security numbers unless Travelex pays up, the company has opted to switch off its computer systems until the crisis has passed. Many of the firm’s branches are currently processing orders manually.
“Travelex has been successful in containing the spread of the ransomware,” the company said to the Guardian. “Travelex has also confirmed that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted, and that there is still no evidence that any data has been exfiltrated.”
The company is unsure when it will return to normal operations. The company has indicated that it has regained control of several of its internal systems and is working toward regaining normal operations as quickly as feasibly possible. None of parent company Finablr’s other brands — which include UAE Exchange, Xpress Money, Unimoni, Remit2India, Ditto and Swych — have been affected.
While Travelex is a foreign monetary brand, the company does have operations in the United States. Largely limited to major cities along the Boston-New York-Washington, DC Megapolis, Travelex maintains ATMs and branches in the country.
Travelex has been hit by the Sodinokibi ransomware, which keeps systems operable, but encodes all data except that which has been excluded by the ransomware’s initiation file. With Sodinokibi zip files difficult to detect by virus and malware scanners, the ransomware has a remarkably high success rate getting past single checkpoint cybersecurity systems.
A feature of the attack is a deadline. Once the deadline elapses, the bounty automatically doubles. Initially, the Travelex hackers were asking for $3 million, but the original deadline has elapsed, doubling the bounty. A tweet from September 2019 from security research firm Bad Packets about Travelex’s vulnerability to Sodinokibi was ignored. Travelex would eventually patch its systems in November.
Travelex has also failed to report to the UK’s Information Commissioner’s Officer the required data breach report, which is required within 72 hours of a data breach. Failure to make a report can mean a fine of up to 4 percent of a company’s global revenue.
Once Sodinokibi has deployed on a system, most antiviral and malware software suites can effectively mitigate it. The best strategy for dealing with encoded or obfuscated data files is to have a cloud-based or offsite backup of sensitive files available that is updated regularly or automatically.