Foreign exchange company Travelex has been targeted by hackers demanding $6 million (£4.6 million), in an attack many believe could have been averted months ago. The ransomware gang known as Sodinokibi -- also as REvil -- says it has downloaded more than 5GB of sensitive customer data, including dates of birth, credit card information and national insurance numbers, which it will publish if payment is not made within a week. The hackers originally demanded $3 million, but doubled the sum after two days of non-payment.
Following the attack -- which took place on New Year's Eve when many employees were on vacation -- the company displayed "planned maintenance" messages on its websites across Europe, Asia and the US in order to "contain the virus and protect data." That message has since been changed to an official press release in which Travelex says that while "it does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated."
While its systems are down, the company is unable to sell or reload its pre-paid travel cards, and has had to resort to carrying out transactions manually, providing exchange services over the counter in its physical branches. A number of third-party companies and banks that rely on Travelex services have also been affected, including Virgin Money, Sainsbury's Bank and First Direct. Existing cards continue to function as normal.
As reported by Computer Weekly, Sodinokibi first appeared in April 2019, leading researchers to discover a number of critical security vulnerabilities that could fall foul of the ransomware. Since the attack as come to light new evidence has emerged showing that it took Travelex eight months to patch these vulnerabilities. A tweet from security research firm Bad Packets claims Travelex was notified of its susceptibility back in September 2019, but gave "No response." It's been found that Travelex did eventually patch its systems in November -- giving hackers time to lay their foundations.
Furthermore, the BBC reports that the UK's Information Commissioner's Office (ICO) has not yet received a data breach report from Travelex. Organizations must notify the ICO within 72 hours of becoming aware of a data breach unless it doesn't "pose a risk to people's rights and freedoms." If an organization believes a breach doesn't need to be reported, it will have to explain why. Under GDPR, failure to comply with this can result in a maximum fine of 4 percent of a company's global turnover.
Travelex says it's working with IT specialists, external cyber-security experts and the Metropolitan Police to remedy the situation. Meanwhile, customers have taken to Twitter to lambast the company for its lack of communications around the hack. In a statement, Travelex boss Tony D'Souza said the company apologizes "to all our customers for any inconvenience caused." It's not clear yet how the data may be used if the situation is not rectified.