On New Year’s Eve 2020 Travelex was hacked, it took them nearly a month to get back up and running, the full cost of the incident is yet to be fully know.
Last year BA was hacked and faced fines of £183M for breach of GDPR regulations and in 2018 the NHS was hacked, and thousands of treatments / operations were lost. That is not including the many smaller enterprises you will never have heard of that have also been compromised.
The Travelex Story
- Travelex are a market leading independent foreign exchange business. Over the past 40 years they have built a market leading retail network of specialist foreign exchange stores, and have developed Travelex as a trusted and widely recognised brand in foreign exchange
- They have a prescience in more than 60 countries employing over 9,000 people with more than 1,200 branches and 1,000 ATM’s worldwide.
- They have built a growing online and mobile foreign exchange platform, having achieved 800k mobile and online transactions in 2017.
- On New Year Eve 2020 hackers held Travelex to ransom demanding $6m (£4.6m) to unlock their systems. Forcing the London headquartered firm to take down all of its global websites.
- The hackers “Sodinokibi, also known as REvil” reported to the BBC that they gained access to the network some 6 months before the attack, downloading 5GB of sensitive customer data. Threatening to release this data into the public domain unless the company paid up.
What do we know?
- Travelex claim that there is no evidence that customer data was compromised.
- The attack also had a knock-on effect on online travel money services for its partners, such as Tesco Bank, Sainsbury’s Bank, Virgin Money and First Direct, who also cannot sell currency online. Also, a number of High Street banks, stopped customers ordering foreign currency. Lloyds, Barclays and Royal Bank of Scotland – all get their foreign notes from Travelex
- Staff were forced to record transactions manually and were unable to take card payments for foreign currency or deliver pre-ordered currency to travelers who had pre-ordered it for collection.
- It is reported that Travelex’s losses will be partly covered by a cyber insurance policy.
- Travelex refuses to say if they paid the hackers
- The true cost of this incident is yet to be known but time will tell.
How did it happen?
- Evidence has come to light that Travelex took eight months to patch their Pulse Secure virtual private network (VPN) servers it uses to provide employees with remote access to their central computers, leaving their networks vulnerable to attacks.
- It has been reported that Pulse Secure VPN services contained bugs that could allow people to gain covert access to a company’s network, prompting Pulse Secure to issue an advisory notice and software patches to correct the problem in April 2019. Security company Bad Packets warned Travelex on 13 September that it had seven unpatched Pulse Secure VPN servers
- In early October, the UK’s National Cyber Security Centre (NCSC), part of GCHQ which advises businesses on cyber security, and the US National Security Agency, issued an alert warning that cyber criminals were attempting to infiltrate organisations worldwide through vulnerabilities in Pulse Secure and other VPNs.
- Once someone has compromised a network and gained access they can activate “malware” at any time. In this case 6 months after the initial incursion.
How can you protect your business?
Successful corporate governance includes Cyber Security. There are three actions all boards should take to protect their stakeholders whether Customers, Suppliers, Employees, or Shareholders from loss of reputation, loss of business, and loss of profits. Even loss of the business itself! These are:
1) Implement appropriate measures to make it difficult for hackers to gain access to systems and networks to steal data, steal intellectual property, or hold the business to ransom
2) Design in resilience to systems and networks to provide business continuity in the event of attack, and
3) Develop and test disaster recovery methods that ensure data is not lost and you can always recover from a cyber security attack.
Boffins can help you with these tasks. We are an Accredited Cyber Essentials Practitioner and can provide you with a thorough security gap analysis, proportionate mitigation strategies including comprehensive IT policies, road mapped implementation assistance, and routine maintenance and testing on all three areas. Please visit our Cyber Security page.
So are you taking appropriate measures to ensure you are not next?