January 17, 2020

Travelex hack update: First UK customer-facing systems restored

By Robert Scammell

Travelex CEO Tony D’Souza has provided an update on the ransomware attack that first took down the foreign currency firm on New Year’s Eve, stating that the “first customer-facing systems in the UK are now up and running”.

The hack has had a ripple effect on the majority of the UK’s high street banks, which have been unable to process online orders for foreign currency.

“We have already restored some of our internal and order processing systems and are now starting to restore customer-facing systems, some of which are now successfully live in the UK,” said D’Souza in a video statement posted on Travelex.com.

He added that the firm has “started restoring forex order processing electronically in our UK stores and in some of our UK retail partner locations, and we are also now starting our VAT refund service in UK airports”.

Sodinokibi, the ransomware group behind the hack, had demanded £4.6m to restore Travelex’s systems. The cybercriminals also claimed to have stolen customers’ personal data – including payment card information – and threatened to release it to the public domain unless Travelex paid up. Travelex has not said if any ransom was paid.

Since this claim, Travelex has insisted that no customer data was compromised. In today’s update D’Souza repeated this stance, stating that “to date, we have not uncovered any evidence to suggest that any customer data has left the organisation”.

Travelex update: Questions remain over attack method

The Travelex update comes 18 days after the company’s systems were attacked. It is still unclear exactly how the cybercriminals were able to compromise the exchange’s network.

D’Souza said that it’s “not appropriate” to provide any information on how the cybercriminals infiltrated Travelex’s system while the matter is still under investigation.

“When we discovered the virus, we took the tough decision to first isolate the parts of the business where it was initially found and then take down the rest of our systems,” said D’Souza.

“This enabled us to prevent its spread and minimise the damage.”

He added that the majority of the business “did in fact remain operational”. This is likely to raise eyebrows among the Travelex staff who have been forced to use a pen and paper to serve customers, as well as customers who have been unable to access currency they had already purchased.

“We could – and did – continue to provide many of our customer services through our retail outlets, even though some of the central systems necessary to provide online services and manage our wholesale and outsourcing services were unavailable,” he said.

D’Souza said that today is the “first opportunity” he has had to speak to customers directly about the ransomware attack because of “a number of technical, commercial, legal and regulatory complexities that we needed to work through in the immediate aftermath of the attack”.

Ed Williams, director EMEA at cybersecurity firm Trustwave said:

“Not being part of this investigation it’s difficult to know the detail; however,  our recommendation is to never pay the ransom because paying helps fuel the criminal industry. Sufficient policy and procedures covering data back up and disaster recovery should be in place to help mitigate this type of attack. Their Business Continuity Planning (BCP) process should be kicking in and ensuring core business is running.

“As part of this policy and procedure, I would expect complete transparency such that customers and clients can make appropriate decisions and keep a watchful eye to ensure that their data isn’t being misused by the threat actors. Communication in events of this nature is critical, we know that ransomware attacks happen and are becoming more frequent and not being open degrades trust.”

Read more: Travelex hack hits high street banks, showing dangers of “interconnectivity and dependence”