Travelex, a major international foreign currency exchange service, revealed that the company experienced a malware attack sometime on or around New Year’s Eve. Details about the attack are still very scanty, but it was bad enough that the company took its website offline and suspended some services for at least two days.
What we know about the Travelex malware attack
Travelex is a London-based provider of travel-oriented financial services, one of the largest in the world of its type. The company spans 70 countries with over 1,200 retail locations. Countless travelers rely on its prepaid cards, currency exchange service and international money transfers when visiting other countries.
The company took their website offline on December 31 in response to a malware attack, although at the time they posted a message saying that “service upgrades” were being made. The company admitted in a statement two days later that it was a malware attack and that services were offline in order to protect data, but declined to provide details about what kind of attack.
While the UK website was down, the company was unable to process any of its normal online transactions. This included use of the mobile app as well. Travelex customers were limited to visiting physical retail locations (which were manually processing customer requests using offline methods), and were only able to check balances on their cards by using the United States-hosted version of the Travelex Money Card site. The main site was displaying a server error until January 3.
Companies that partner with Travelex for these various services, such as Tesco Bank, also had to temporarily suspend them while the malware situation was sorted out.
Travelex claimed that no customer data was compromised in the attack, but without knowing what happened that is a difficult claim to verify. It could simply mean that the company was not aware of any exfiltrated data as of yet, but might discover some as a proper investigation from outside forensics agencies commences.
Was it ransomware?
A Computer Weekly report cited a company insider who claimed that Travelex was hit with ransomware and took the site offline as a precautionary measure. The company also reportedly sent an email to employees advising them not to open emails with the word “readme” in the title or attached files.
Assuming that the company’s claim that no customer data was accessed by outside parties is true, and given that all online services were shut down for several days, ransomware would make a lot of sense.
European companies struggled with the re-emergence of the notorious WannaCry in 2019, with hospitals and medical services as the main target. This particular wave of attacks was able to spread very quickly due to a known Windows vulnerability that allowed the ransomware to infect any other Windows machine on the same network. Microsoft patched the vulnerability in March to stop the spread, but it continued to ravage unpatched machines for months afterward.
If it was indeed ransomware, Travelex would have likely been caught flat-footed with it striking both on a major holiday and a Friday. The slow and patchy return of online services indicates that the company may have opted to restore from backups rather than pay the ransom. The timing of the malware attack was awful not just due to banks being closed over the weekend, but due to customers looking to pay rent and various bills and potentially receive paychecks on the first of the month.
According to Colin Bastable, CEO of security awareness and training firm Lucy Security:
“The Christmas/New Year period is ideal for phishing and other socially-engineered attacks – people are distracted, businesses are short-staffed and it is relatively easy to deliver a malware payload in a New Year-themed phishing email, or a fake year-end bonus email.
“Travelex makes for a juicy target – it is somewhat surprising that they were breached, but at any given time, up to 30% of employees can easily fall for phishing attacks, which are responsible for over 90% of losses from cybersecurity breaches.”
An interesting side note is that a number of banks in the Lloyds Banking Group also had their systems offline for about nine hours on New Year’s Day. The company disavowed any connection to the Travelex malware attack, however, claiming that an internal computer crash was the issue.
GDPR disclosure requirements
The terms of the General Data Protection Regulation (GDPR) and United Kingdom law are such that the London-based company may not be allowed to be tight-lipped about the nature of the malware attack forever.
Even if customer data was not exfiltrated in the malware attack, the wording of articles 33 and 34 of the GDPR is broad enough (the standard being impact to “rights and freedoms”) that Travelex may still be obligated to disclose details as if it were a breach. The law is not entirely clear in cases where there is a ransomware attack in which data is not stolen, but companies generally err on the side of caution and follow the breach declaration standards if there is an outage that disrupts service for as long as this one did. The initial breach notification is usually required within 72 hours of company awareness of it, but this can be extended if the company does not have access to all of the information they need. The company would then be required to conduct a postmortem analysis of the incident and put a remediation plan in place.
The risk to consumers
The public needs to know exactly what type of malware attack occurred before the full risk can be gauged.
While all signs point to #ransomware, it's still not clear if customer data was compromised in the #malware attack. #respectdata
Click to Tweet
All signs do point to ransomware, however, which could mean that the attackers never had access to personal data. It all depends on the methods the attackers used. It is possible that ransomware attackers could access and copy data for themselves prior to locking the company out of it. This is usually determined by a postmortem forensics examination.
The most prudent thing for Travelex customers to do is to assume that the attackers had access to the data until there is clear evidence otherwise. This could mean changing passwords, transferring funds to a new Travelex money card and ensuring that login information and PIN numbers are not shared with other accounts.