0 
0 On December 31, 2019, the international foreign currency exchange service Travelex suffered a ransomware attack that affected its services, especially its customer-facing systems, during the height of holiday travel.[1] This prompted the company to take all of its computer systems offline, which consequently meant that customers all over the world could no longer use the website or app for transactions, or make payments at Travelex’s 1,500 locations.
Overnight, Travelex found themselves unable to take card payments for foreign currency or deliver pre-ordered currency to travelers who had pre-ordered it for collection, while Travelex staff were forced to record transactions manually.[2] The attack also disrupted banking operations globally, affecting Barclays, HSBC, Sainsbury’s Bank, Virgin Money, and many other banking institutions that rely on Travelex to provide their foreign exchange services.[3] Given the timing of the attack, the disrupted services naturally have led to thousands of customer complaints since the outage began, with many looking to Travelex to respond with clarification and remediation.
A Series of Fumbled Responses
In the short history of ransomware attacks, the way Norsk Hydro responded to their own attack in 2019 has been hailed as the gold standard[4] of handling such a crisis. Not only were Norsk Hydro fully transparent about the breach when it happened, but their executives also held daily conferences, their senior staff hosted webcasts and answered audience questions, and the company posted constant updates on Facebook and cooperated fully with journalists.[5] Instead of following Norsk Hydro’s example when handling their own ransomware crisis, Travelex did the complete opposite.
Once the attack took place on New Year’s Eve, the Travelex website went down worldwide without any explanation on their social media. Two days later, the website was updated, with a statement explaining that the website and its services were both temporarily unavailable due to “planned maintenance,”[6] which was a lie. As if to confirm the lie, the Travelex Twitter account issued a different statement in a press release that same day, admitting that their services were down due to it being hit by a “software virus” that has now “been contained,” fully omitting the nature of the attack.[7]
It wasn’t until of January 7,[8] five days after their last statement[9] and days after the technology press were able to confirm from other sources[10] that what Travelex suffered was indeed a ransomware attack, that they released a statement admitting to being hit by the Sodinokbi ransomware. The statement provided no information as to the ransom amount asked, how the attack itself took place, or how its systems were compromised.[11] It also did not provide any of its customers – who were left stranded without their money or assistance for a full week – with a customer service phone number or email, or even an FAQ link, to offer any information as to how and when they could expect to be compensated.
Two weeks later, on January 13, Travelex issued another statement, stating that they had restored some internal processes and ordering systems,[12] and that their customer-facing systems would be operating again soon, in a yet undetermined date in the near future.[13] Currently, there still is not an official explanation as to how the attack took place, nor is there a single customer service initiative by Travelex to allay their customers’ concerns, nor did their owners, Finabler group, acknowledge the attack or the crisis in any statement or on their website.
Unfortunately for Travelex’s management and owners, the internet abhors an information vacuum, and many of the questions that Travelex tried not to answer ended up being answered by other sources, including the attackers themselves.
The Internet Strikes Back
Almost from the day of the attack, the infosec and the technology press communities were abound with speculation that Travelex was indeed hit with a ransomware attack, one that its management had hoped to hide. By January 3, Computer Weekly magazine had received inside information that the currency exchange company did fall a victim to a ransomware attack, and by January 6, both Computer Weekly[14] and Bleeping Computer[15] were reporting that the ransomware was Sodinokibi, a full day before Travelex admitted it.
Unlike Computer Weekly, Bleeping Computer got its information from the Sodinokibi crew themselves, who contacted the news outlet and informed them of the attack and the ransom they asked for, as well as alleged that they had also managed to copy more than 5GB of personal costumer data, including social security numbers and credit card information, a statement that Travelex has denied. Sodinokibi has threatened to sell the information that they have if they are not paid their ransom,[16] which would in turn confirm that a data breach had taken place and consequently increases Travelex’s liability, from GDPR fines to customer lawsuits. As the attackers’ statement ominously said, “We still benefit if they don’t pay.”[17]
2.3 Failure on All Fronts
The infosec community, on the other hand, started filling in the blanks as to how the breach took place. The first explanation focused on the company’s use of the Pulse Secure VPN enterprise solution, which suffered from a vulnerability that would allow people without valid usernames and passwords to remotely connect to the corporate network the device is supposed to protect, turn off multi-factor authentication controls, and remotely view logs and cached passwords in plain text.[18] A patch has been available since April 24, 2019, by Pulse Secure, which they have informed their customers of multiple times since then.
When a public exploit of this vulnerability was made available on August 21, 2019, the cyber security company Bad Packets did an internet scan and found about 15,000 systems that were exploitable via this security issue. They then started to contact the organizations at risk to warn them about their unpatched systems, including Travelex on September 13.[19] Travelex never responded to that email. Additionally, according to Bad Packets, Travelex did not have the “Network Level Authentication” feature enabled on its Amazon cloud platform Windows servers,[20] leaving them exposed to the internet and allowing anyone the ability to connect to the servers before authenticating for months. No information confirming or denying any of this has been presented by Travelex until now.
If Norsk Hydro’s handling of their ransomware crisis is the industry’s best practice, then Travelex’s handling of their current ransomware crisis is the case study on what not to do. Travelex continuously lied to their customers throughout the crisis, only admitting the truth begrudgingly after it came out from other sources, and they continue to not provide customers with any transparency or outreach efforts for two weeks running. They obviously did not have a crisis management plan, a clear or consistent communication strategy, or a clear understanding of how this crisis has affected and will continue to affect their brand or their future revenues.
Travelex also did not understand that what saved Norsk Hydro’s brand was not only their transparency, but also their sense of responsibility in the face of the crisis. Any organization facing a similar or worse public relations crisis can survive as long as they provide the public with three things: a sincere apology, a sense of understanding of the suffering it caused its customers, and the conviction to make things right, even if it means putting their customers first and their brand image second. Travelex’s management does not seem to understand that, or that during such a crisis, their customers will view them as the first resource they can turn to for help, and in the face of being ignored for two weeks and counting, customers will surely abandon them. If we add the potential fines, legal fees, legal liabilities, loss of business, the inevitable ratings and outlook downgrade, and the damage to the brand, it is fair to say that the Travelex nightmare is far from over.
[1] BBC Staff, “Travelex site taken offline after cyber attack,” The BBC, January 2, 2020, https://www.bbc.com/news/business-50977582
[2] Danny Palmer, “Two weeks after ransomware attack, Travelex says some systems are now back online,” ZDNET, January 13, 2020, https://www.zdnet.com/article/two-weeks-after-ransomware-attack-travelex-says-some-systems-are-now-back-online/
[3] Tess Bennett, “Aussie Banks Feel The Effects Of Travelex’s Ransomware Crisis,” Which 50, January 13, 2020, https://which-50.com/aussie-banks-feel-the-effects-of-travelexs-ransomware-crisis/
[4] Bill Brigs, “Hackers hit Norsk Hydro with ransomware. The company responded with transparency,” Microsoft newsdesk, Dec 16, 2019, https://news.microsoft.com/transform/hackers-hit-norsk-hydro-ransomware-company-responded-transparency/
[5] Larry Loeb, “Norsk Hydro: This Is How You React to a Ransomware Breach,” Security Now, March 25, 2019, https://www.securitynow.com/author.asp?section_id=649&doc_id=750396
[6] Graham Cluley, “‘Planned maintenance‘? Travelex’s masterclass in how not to respond to a cyberattack,” Graham Cluley’s Website, January 8, 2020, https://www.grahamcluley.com/travelex-ransomware/
[7] Travelex UK (@TravelexUK), “Statement on IT issues affecting Travelex Services,” Twitter, January 2, 2020, https://twitter.com/TravelexUK/status/1212840156480315401
[8] Lawrence Abrams, “Sodinokibi Ransomware Says Travelex Will Pay, One Way or Another,” Bleeping Computer, January 9, 2020, https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/
[9] Travelex UK (@TravelexUK), “Hi Andrew, we don’t have anything substantial to offer in terms of updates. We’ll update our twitter as soon as we have some updates. Thank you once again for your patience,” Twitter, January 6, 2020, https://twitter.com/TravelexUK/status/1214183366712528898
[10] Ionut Ilasco, “Sodinokibi Ransomware Hits Travelex, Demands $3 Million,” Bleeping Computer, January 6, 2020, https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/
[11] Graham Cluley, “‘Planned maintenance‘? Travelex’s masterclass in how not to respond to a cyberattack,” Graham Cluley’s Website, January 8, 2020, https://www.grahamcluley.com/travelex-ransomware/
[12] Rory Cellan-Jones (@ruskin147), “This statement from Travelex- a firm whose services have now been offline for nearly two weeks- is in the best traditions of Pravda,“ Twitter, January 12, 2020 https://twitter.com/ruskin147/status/1216639558403678208
[13] Danny Palmer, “Two weeks after ransomware attack, Travelex says some systems are now back online,” ZDNET, January 13, 2020, https://www.zdnet.com/article/two-weeks-after-ransomware-attack-travelex-says-some-systems-are-now-back-online/
[14] Bill Goodwin, “Cyber gangsters demand payment from Travelex after ‘Sodinokibi’ attack,” Computer Weekly, January 6, 2020, https://www.computerweekly.com/news/252476283/Cyber-gangsters-demand-payment-from-Travelex-after-Sodinokibi-attack
[15] Ionut Ilasco, “Sodinokibi Ransomware Hits Travelex, Demands $3 Million,” Bleeping Computer, January 6, 2020, https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/
[16] Lawrence Abrams, “Sodinokibi Ransomware Says Travelex Will Pay, One Way or Another,” Bleeping Computer, January 9, 2020, https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/
[17] Lawrence Abrams, “Sodinokibi Ransomware Says Travelex Will Pay, One Way or Another,” Bleeping computer, January 9, 2020, https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/
[18] Danny Palmer, “Two weeks after ransomware attack, Travelex says some systems are now back online,” ZDNET, January 13, 2020, https://www.zdnet.com/article/two-weeks-after-ransomware-attack-travelex-says-some-systems-are-now-back-online/
[19] Bad Packets Report (@bad_packets), “We notified Travelex about their vulnerable Pulse Secure VPN servers on September 13, 2019,“ Twitter, January 4 , 2020, https://twitter.com/bad_packets/status/1213536922825420800
[20] Danny Palmer, “Two weeks after ransomware attack, Travelex says some systems are now back online,” ZDNET, January 13, 2020, https://www.zdnet.com/article/two-weeks-after-ransomware-attack-travelex-says-some-systems-are-now-back-online/
English