Travelex: Met Police called-in last week as Travelex FINALLY admits Sodinokibi ransomware attack

clock • 3 min read

Travelex statement admits Sodinokibi ransomware outbreak but claims that no "structured personal customer data" has been compromised

Travelex called-in specialists from the Metropolitan Police's Cyber Crime Team on Thursday last week over what it has finally admitted is a Sodinokibi ransomware attack.

The company took its systems offline on 31st December 2019 following the outbreak in a bid to contain the attack, shifting internal processes to manual as a result. However, it has faced a rising chorus of criticism over its response to the outage and the lack of information it has provided to customers and the media.

There is no evidence that structured personal customer data has been encrypted

In a statement to Computing, the Metropolitan Police said: "On Thursday, 2 January the Met's Cyber Crime Team were contacted with regards to a reported ransomware attack involving a foreign currency exchange. Enquiries into the circumstances are ongoing."

Travelex, meanwhile, has finally got round to providing a statement attributing the outage to more than just "a virus", as the crisis enters its second week.

In the statement, the company confirms that it has fallen victim to the Sodinokibi ransomware, also known as REvil. "Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful," the company claims.

It adds: "To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted."

Detailed forensic analysis is fully underway and the company is now also working towards recovery of all systems

By this, the company presumably means that the ransomware was stopped before it was able to start encrypting critical customer information - but the phrase "structured personal customer data" raises as many questions as it answers.

The company also admits that nine days into its response to the outbreak it "does not yet have a complete picture of all the data that has been encrypted", and further claims that "there is still no evidence to date that any data has been exfiltrated".

The cyber criminals behind the Sodinokibi ransomware typically hedge their bets by exfiltrating organisational data before commencing the encryption process. They then threaten to release the data if the targeted organisation does not pay up.

The Travelex statement continues: "Having completed the containment stage of the remediation process, detailed forensic analysis is fully underway and the company is now also working towards recovery of all systems. To date, Travelex has been able to restore a number of internal systems, which are operating normally."

The company has not been able to give an estimated date by which its systems will be back, fully up-and-running.

Intriguingly, the statement signs off by asserting that the company "does not currently anticipate any material financial impact for the Finablr Group", the holding company that owns Travelex, set-up by Indian businessman BR Shetty and floated on the London Stock Exchange in May 2019.

The attackers are believed to have gained entry via unpatched Pulse Secure VPN servers.

The organisation was warned in September about the vulnerability on its network by both private security researchers and the National Computer Security Centre (NCSC). However, Chicago, Illinois-based security researcher Troy Mursch claims he received no response from the company with regard to the warning he sent.

All Computing's coverage of the Travelex ransomware outbreak

You may also like
Fortinet confirms data breach

Hacking

Assures customers of limited impact

clock 16 September 2024 • 2 min read
Ransomware targets London branch of China's ICBC

Hacking

We don't yet know whether the bank has paid the ransom

clock 13 September 2024 • 2 min read
Transport for London restricts access to live travel data amid cyberattack

Hacking

No update given since Friday

clock 08 September 2024 • 2 min read
Most read
01

Fortinet confirms data breach

16 September 2024 • 2 min read
03

Ransomware targets London branch of China's ICBC

13 September 2024 • 2 min read
04
05

Teen arrested over TfL cyberattack

13 September 2024 • 3 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Security

Microsoft offers advice on avoiding another CrowdStrike-style outage

Microsoft offers advice on avoiding another CrowdStrike-style outage

Vendors should minimise use of kernel mode, customers should make full use of integrated Windows security features

John Leonard
clock 29 July 2024 • 3 min read
'Gay furry hackers' breach conservative US think tank behind Project 2025

'Gay furry hackers' breach conservative US think tank behind Project 2025

Heritage Foundation calls group "degenerate perverts"

Tom Allen
clock 11 July 2024 • 2 min read
Why 'change' for the UK must include cybersecurity

Why 'change' for the UK must include cybersecurity

Labour needs to to get ahead and demonstrate a commitment to security from the outset

Rick Jones
clock 11 July 2024 • 4 min read