As ransomware attacks go, the cyber intrusion at Travelex that emerged on New Year’s Eve could have lasting consequences — and ones that shouldn’t be just a worry to the currency dealer.
Travelex, known mostly for its airport shops and ATMs, was forced to resort to manual dealings and handwritten receipts for foreign exchange sales as it took systems offline to prevent the malware Sodinokibi, also known as REvil, from spreading. Core activities were crippled or halted altogether during what would have been busy trading days, across dozens of countries.
Worse still, the company has had to repeatedly deny claims by its attackers that customer data has been stolen, a violation of security that if true would result in a further loss of client trust — and hefty regulatory fines. Under the European General Data Protection Regulation, companies can be sanctioned as much as 4% of annual turnover if appropriate security measures aren’t in place or if the company fails to notify regulators promptly.
As of Monday, Travelex hadn’t notified the U.K. Information Commissioner’s Office of a breach and it didn’t have evidence data was compromised. Earlier in the day, the company said it was finally restoring customer-facing systems. Meanwhile, London’s Metropolitan Police is investigating.
Travelex’s attackers appear to have known how to strike where it hurts. As the U.S. Federal Bureau of Investigation warned in October, losses from ransomware are increasing even though the number of attacks is declining, a sign that criminals are becoming more sophisticated.
Indeed, the dent to Travelex’s reputation and the effect that could have on its business with corporate customers could be considerable. The outage disrupted delivery of cash from its vaults to international banks, and the online suspension of dealings forced corporate clients to stop some services they offer their own customers. Some of the world’s biggest banks, such as Barclays Plc and HSBC Holdings Plc, have been affected.
The disruptions prompted a warning from S&P Global Ratings on Travelex’s finances and its creditworthiness as a standalone business. S&P was concerned about the adequacy of Travelex’s controls and governance, and whether the company will be able to renew corporate contracts. Cash from its parent Finablr Plc (owner of six other brands including money-transfer firm UAE Exchange and Ditto digital bank) would help meet liquidity needs but funds haven’t yet been committed.
Travelex may have added to its pain with a sloppy public response. The drip-feed of information on the impact of the breach (initially Travelex said the website was down for planned maintenance) will make regaining confidence harder. Its customer data has been somewhat compromised in the past too. In March 2018 Travelex suffered a breach, which was disclosed in Finablr’s prospectus when it sold shares to the public last year.
While the company contends that there’s no evidence customer data has been stolen in the Sodinokibi attack, there are reports alleging that the hackers claiming responsibility have demanded as much as $6 million in ransom to stop them releasing data publicly.
Travelex isn’t commenting on the ransom request. The FBI in recent guidance acknowledged there will be circumstances under which companies may have no choice but to cough up if they’re struggling to do normal business. Meantime, insurers have spotted a financial opportunity, helping to shield firms from the risks, while fueling some concern that they’re urging customers to meet criminals’ ransom demands with extra haste. The more sophisticated the attacks, the greater the pressure on victims to put the fire out quickly. Travelex is a reminder of what’s at stake.