Can your company afford to be a cyber victim?

If in doubt, just ask Travelex and Dixons Carphone.
10 March 2020

Travelex suffered a global ransomware attack this year. Source: Shutterstock

It’ll never happen to us. How many organizations view cybersecurity as a box-ticking exercise while kidding themselves they will never be the target of hackers? 

It’s impossible to tell, but recent events show, once again, there is a real and present threat to all companies, both big and small. Hackers are constantly attempting to infiltrate corporate digital networks, and the damage they cause can potentially devastate a business.

The recent ransomware attack on Travelex, which took the currency exchange giant’s IT systems offline for more than three weeks, is a notorious case in point. The company faced demands for a US$6 million ransom to decrypt its data after hackers infiltrated its computer network in the early hours of New Year’s Day. Travelex has refused to disclose whether it paid the ransom.

The breach dates back to a security patch that Travelex allegedly sat on for eight months before applying it to its Pulse Secure virtual private network (VPN) servers, leaving its networks vulnerable to attack. 

The company, which has operations in 70 countries and processes an average of 5,000 transactions an hour, had to call in The Metropolitan Police’s cybercrime unit as well as an internationally renowned cybersecurity expert to try to get its data back. For more than three weeks, it had to revert to manual pen and paper transactions leaving its operations in chaos.

Ransomware for sale

The ransomware at the center of the attack is known as Sodinokibi or REvil. It first appeared in April 2019, offering criminal gangs the opportunity to rent the ransomware and customise it to target their own victims in return for a cut of the profits. Some criminal groups have links to Syria and Iran, according to research by McAfee.

The malware attack struck Travelex, which has 1,200 branches worldwide, in the early hours of December 31 2019, when it encrypted critical business files and left readme documents on infected computers. The readme files instructed Travelex to pay a ransom in Bitcoin through a website with a top-level domain registered in China in March 2019.

The attack resulted in at least 20 Travelex websites in different countries becoming inaccessible and left its outlets in airports and other retail sites without access to the internet or email or Travelex’s IT systems, as the company shut down systems to prevent the spread of the virus.

Operations in chaos

The attack has also disrupted banks, including Sainsbury’s Bank, Barclays, HSBC, Virgin Money, First Direct and Asda Money, along with others that rely on Travelex to provide their foreign exchange services. 

Travelex staff have been forced to record transactions manually and have been unable to take card payments for foreign currency or deliver pre-ordered currency to travellers who had pre-ordered it for collection. Customers have complained they have been unable to top up their Travelex currency cards, confirm transactions have taken place, check balances or use the Travelex app.

The total financial cost of the ransomware attack, when it is finally calculated will be truly eye-watering, but then add the damage done to the company’s reputation and the numbers of customers and partners who will think twice before doing business with Travelex in future. Then there is the prospect of a hefty fine from the Information Commissioner’s Office (ICO) for allowing the breach to happen in the first place.

Dixons Carphone targeted again

Dixons Carphone recently found itself in the ICO firing line when it was hit with the maximum possible fine of £500,000 after the tills in its shops were compromised by a cyber-attack that affected at least 14 million people.

The retailer discovered the massive data breach last summer and a subsequent investigation by the ICO found the attacker had installed malicious software on 5,390 tills in branches of its Currys PC World and Dixons Travel chains.

Rogue software went undetected over a nine-month period between July 2017 and April 2018 and collected a huge amount of data, leaving customers vulnerable to both financial theft and identity fraud.

Attackers harvested the payment card details of 5.6 million people as well as the personal information – including full names, postcodes, email addresses and details of failed credit checks – of approximately 14 million, the data watchdog said in a statement announcing the £500,000 fine.

The ICO said Dixon Carphone’s poor security arrangements and the inadequate steps taken to protect data had breached the Data Protection Act 1998. Last year the ICO fined Carphone Warehouse, part of the same group, £400,000 (US$521,000) for similar security vulnerabilities.

“The lesson to be learned from both of these examples is that in a modern dynamic business environment cybersecurity is an always-on requirement and security measures need to be omni-present and pre-emptive,” says Roy Reynolds Technical Director at Vodat International.

When the cost of a hack runs into many millions of pounds cybersecurity should never be seen as a drain on budgets but a valuable investment in business continuity and reputation management, he concludes.