Travelex – How not to handle a Cyber Incident

What happened?

On New Year’s eve as parties were in full swing and everyone was busy considering their new year resolutions, criminals put a devastating stop to any celebrations at Travelex. The Travelex network was infected with ransomware encrypting business data and bringing global operations at 1000 outlets across 26 countries to a stand-still. Staff had to resort to pen and paper to process transactions with many high street banks who use Travelex for foreign exchange unable to place orders.

Criminals behind the Sodinokibi variant of ransomware had infected the network and were demanding £4.6 million in ransom and had stolen 5GB of personally identifiable information (PII).

Clear communication

Instead of being transparent and honest, Travelex attempted to contain the incident but placing this above message on its website. Within a matter of hours it was quite clear that this was not planned maintenance but it was not until the 7th of January (one week after the incident) that Travelex released a statement confirming that:

“To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted. Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated,”

All companies have obligations under GDPR and the Data Protection Act 2018 to report any data breaches within 72 hours, but it was reported that an ICO spokesperson indicated this had not been done.

It was not until nearly a month after the attack and untold financial and reputational damage did service appear to have returned to normal. There has been no further information indicating exactly how the ransomware found its way into the network but an RDP vulnerability is believed to be the cause.

Compared to the ransomware attack on Norsk Hydro who received huge praise for the way in which they handled the incident, communicating to stakeholders immediately and defiantly refusing to pay any ransom but going to huge business disruption of restoring data instead, at a cost of £45 million.

How a ransomware attack cost one firm £45m | BBC News

Air gap your backups

Businesses often resort to paying the ransom demand out of desperation because attempts to restore their data have failed. On multiple occasions when carrying out a security assessment we have found data backups stored on the same network as all other devices which would very likely be encrypted if they were struck by ransomware.

Have two backups, one on your local network for convenience and speed of restore, with the other being an off-site cloud backup which is completely isolated from your local network. That way should disaster strike all data can be easily restored and any incident is an inconvenience instead of a nightmare.

If RDP is needed put it behind a VPN

There should be no reason why an RDP server should be publicly available on the internet so we would strongly recommend this service is turned off and TCP port 3389 is blocked on your firewall.

If RDP is required then this should be accessed through a robust VPN with two factor authentication.

Reduce your attack surface

If you don’t already have one, create a patching policy to outline who is responsible for keeping up to date with vulnerability announcements and ensuring all systems are fully patched. One in three breaches are caused by unpatched vulnerabilities.

Consider at least quarterly vulnerability assessments to under your security posture and what risk are present in your internal and external infrastructure.

Use multi factor authentication to protect your users. We have identified following incident response assignments that a common method of distributing ransomware is through compromised Office 365 mailboxes. This easily allows a criminal to send email with a infected attachment to internal colleagues who may not apply the same level of caution as they would to an external email.

Be prepared

Be on the front foot and prepare your organisation. Undertake a security assessment to understand your security posture, implement managed security products to mitigate risk and educate your users on security awareness but also by involving them in disaster recovery planning. Only by following these three steps can businesses reduce the likelihood of a similar attack to the one which brought Travelex to a shuddering halt.

 

Get in touch for more information on any of the above or for an informal chat about potential risks to your organisation.