Travelex: Met Police called-in last week as Travelex FINALLY admits Sodinokibi ransomware attack

clock • 3 min read

Travelex statement admits Sodinokibi ransomware outbreak but claims that no "structured personal customer data" has been compromised

Travelex called-in specialists from the Metropolitan Police's Cyber Crime Team on Thursday last week over what it has finally admitted is a Sodinokibi ransomware attack.

The company took its systems offline on 31st December 2019 following the outbreak in a bid to contain the attack, shifting internal processes to manual as a result. However, it has faced a rising chorus of criticism over its response to the outage and the lack of information it has provided to customers and the media.

There is no evidence that structured personal customer data has been encrypted

In a statement to Computing, the Metropolitan Police said: "On Thursday, 2 January the Met's Cyber Crime Team were contacted with regards to a reported ransomware attack involving a foreign currency exchange. Enquiries into the circumstances are ongoing."

Travelex, meanwhile, has finally got round to providing a statement attributing the outage to more than just "a virus", as the crisis enters its second week.

In the statement, the company confirms that it has fallen victim to the Sodinokibi ransomware, also known as REvil. "Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful," the company claims.

It adds: "To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted."

Detailed forensic analysis is fully underway and the company is now also working towards recovery of all systems

By this, the company presumably means that the ransomware was stopped before it was able to start encrypting critical customer information - but the phrase "structured personal customer data" raises as many questions as it answers.

The company also admits that nine days into its response to the outbreak it "does not yet have a complete picture of all the data that has been encrypted", and further claims that "there is still no evidence to date that any data has been exfiltrated".

The cyber criminals behind the Sodinokibi ransomware typically hedge their bets by exfiltrating organisational data before commencing the encryption process. They then threaten to release the data if the targeted organisation does not pay up.

The Travelex statement continues: "Having completed the containment stage of the remediation process, detailed forensic analysis is fully underway and the company is now also working towards recovery of all systems. To date, Travelex has been able to restore a number of internal systems, which are operating normally."

The company has not been able to give an estimated date by which its systems will be back, fully up-and-running.

Intriguingly, the statement signs off by asserting that the company "does not currently anticipate any material financial impact for the Finablr Group", the holding company that owns Travelex, set-up by Indian businessman BR Shetty and floated on the London Stock Exchange in May 2019.

The attackers are believed to have gained entry via unpatched Pulse Secure VPN servers.

The organisation was warned in September about the vulnerability on its network by both private security researchers and the National Computer Security Centre (NCSC). However, Chicago, Illinois-based security researcher Troy Mursch claims he received no response from the company with regard to the warning he sent.

All Computing's coverage of the Travelex ransomware outbreak

You may also like
NCSC and insurers unite to fight ransomware threat

Threats and Risks

First rule: 'Don't panic'

clock 15 May 2024 • 3 min read
Cybersecurity Festival 2024: Four ways to cut your cyber insurance premiums

Finance

Certifications mean nothing without action

clock 08 May 2024 • 4 min read
LockBit leader unmasked

Hacking

Named as Russian national Dmitry Khoroshev

clock 08 May 2024 • 3 min read

More on Security

Asian Tech Roundup: Pressure grows in US-China trade war

Asian Tech Roundup: Pressure grows in US-China trade war

Plus: Google 'accidentally' deletes pension fund's cloud account

Tom Allen
clock 17 May 2024 • 4 min read
Maritime security: 'Hacking a ship is just like hacking a Tesla but bigger'

Maritime security: 'Hacking a ship is just like hacking a Tesla but bigger'

Cyberattacks on shipping up 400-500% in five years, Lloyds List Intelligence

John Leonard
clock 16 May 2024 • 4 min read
Tories self-refer to ICO over data breach

Tories self-refer to ICO over data breach

Revealed hundreds of personal email addresses by forgetting to BCC

Tom Allen
clock 15 May 2024 • 2 min read