On Feb. 13, foreign-currency exchange company Travelex, which is owned by Abu Dhabi-based Finablr, reported that it had restored the majority of its customer-facing services, and resumed normal business operations in the UK, Europe, North America, the Middle East & Turkey, Australia & New Zealand. Travelex had been completely or partially offline in these regions for over a month, after being hacked by a ransomware virus known as Sodinokibi on Dec. 31, 2019. The virus, also known as REvil, encrypted the data on Travelex’s website.
The cybercriminals behind Sodinokibi threatened to publish sensitive customer data, including birth dates and credit card information unless Travelex paid $6 million to retrieve the data. Travelex reported that there’s been no evidence customer data was compromised in the attack but was forced to shut off customer-facing websites across the globe in order to prevent any further damage from the intrusion. To its credit, Travelex quickly enacted a business continuity and disaster recovery plan – something all organizations should have in place for situations like this. After quarantining the virus, Travelex continued to conduct business at its 1,200 locations worldwide, using pencil, paper, and calculators to tally transactions and tracked currency exchange rates by phone.
Given the interconnectedness of financial institutions, the disruption to business was widespread. Banks across the globe, including Barclay PLC branches in the UK, and Westpac Banking Corp. in Australia, rely on Travelex for their currency exchange transactions and were unable to make exchanges for customers while Travelex brought services back online. It’s not the first time Travelex has been breached – just two years ago the company accidentally leaked the personally identifiable information of 17,000 Tesco Bank customers.
Travelex used a company-wide Virtual Private Network (VPN) called Pulse Secure, and at the time of the attack, the VPN had a vulnerability which made it possible for the network to be accessed without a valid username or password. Hackers were able to easily view logs and cached passwords by switching off authentication. This of course, was no small vulnerability, and while Pulse Secure identified and patched the vulnerability back in April 2019, Travelex never applied the patch on its own servers – nor did it notify customers or governing bodies about potential data breaches due to a compromised infrastructure. Even after taking its websites offline more than a month ago, Travelex failed to report a data breach.
Consequences Under Data Privacy Law
Companies can face serious consequences for failing to report a data breach to the proper authorities. In the US for example, fast-food chain Dunkin’ informed customers in October 2018 that a breach had led to their personally identifiable information (PII) being compromised – three years after discovering the breach. Such a lapse was a clear violation of the NYS Information Security Breach and Notification Act, which states that businesses must notify affected consumers, of any breach as soon as it’s discovered, in the most “expedient time possible.”
Travelex claims no customer PII was accessed by hackers, and so was under no obligation to report a potential data breach to the Information Commissioner’s Office (ICO). Until it’s discovered that PII was compromised, Travelex is in the clear. But such a scenario brings an important question to the forefront: should companies be required to report the potential for data breaches – not just confirmed breaches?
That question may be answered by future data privacy legislation, but for now Travelex isn’t being charged under any data privacy acts, including the General Data Protection Regulation (GDPR). If it’s discovered that customer PII was indeed compromised, the company could face fines up to 4 percent of its annual revenue. And Travelex could face more than just the wrath of GDPR. Travelex helps other institutions manage their supply of foreign banknotes with a network of high-security vaults in 14 countries, including the US. This means that the breach – and any fallout, is not only subject to the GDPR’s security requirements, but also the California Consumer Privacy Act (the CCPA), and other state privacy laws in the US.
The Importance of Disaster Recovery
Recovery happens in tiers, something that Travelex has aptly demonstrated. The company’s story is a stark reminder of the importance of business continuity and disaster recovery (BCDR) plans – something ADCG’s Carlos Solari discusses in detail here. BCDR plans should be continuously refined, updated, and tested to make sure that they work. Firewalls and encryption are more important than ever before, but awareness, training, and preparation are critical components to recovering from a data breach and have been shown to greatly increase institutional cyber resilience.
A Harbinger of Things to Come
Travelex may have gotten lucky (for now), but ransomware attacks won’t be decreasing in frequency or severity. This form of cybercrime will only become more sophisticated in nature as time goes on, and criminals are increasingly using ransomware to target infrastructure and financial services organizations. For Travelex updates, please visit the company website here.