In an ideal world, humans would only ever learn from doing things right, but failure is a persistent teacher. That’s why for every Norsk Hydro or Maersk competently and professionally handling major security incidents, there’s also a Travelex. In this blog, we dig into why the world’s largest foreign exchange company has become the latest cyber scapegoat. We also look at what incident response lessons we can learn from the case.  

The facts are these: on New Year’s Eve, criminals launched a ransomware attack against Travelex. The company reacted by taking down its websites in 30 countries. For several days, Travelex offered no explanation for what had happened other than saying this was “planned maintenance”. Reports emerged that the company had reverted to manual pen-and-paper processes at its service counters to keep operating.

On 7 January, a statement from the company finally confirmed it had suffered a malware infection. It said it took systems offline “to contain the virus and protect data”. By then, Bleeping Computer was already reporting that a ransomware gang called Sodinokibi was responsible and demanding a $6m ransom.

The gang, also known as REvil, claimed to have gained access to the company’s computer network six months previously. It said it had downloaded 5GB of sensitive customer data including dates of birth, credit card information and national insurance numbers.

Even in late January, many Travelex websites in several countries, including its main .com domain, remained offline.

Teaming up on Travelex

Other details of the story began to emerge, including the revelation that a flaw in the Pulse VPN product was the likely way in for intruders. Bad Packets, a US security company, had discovered 14,528 unsecured Pulse Servers in August 2019. The following month, it contacted Travelex about this, but got no response. Nothing like an unpatched system to get the security hordes baying for blood.

Travelex isn’t the first company to experience ransomware (or forget to patch systems), so what makes its case stand out? As Brian Honan commented for SANS Newsbites, the breach showed “several examples of how to not handle incident response, from poor communications to key stakeholders, to not engaging with media, and lack of transparency to customers as to the real cause of the systems being offline”.

In an editorial for Computer Weekly, Brian explained why the lack of communication backfired so badly. “In the absence of statements and updates by Travelex, it was left to security experts and journalists to try to fill the gap, leading to rumour, speculation and, ultimately, upset customers,” he said.

Speaking of speculation, that brings us to the first of four key lessons from this sorry affair that could help others to avoid a similar fate. Brian also made the important and often overlooked observation that Travelex is the victim of a crime. Not that that puts a stop to all the hot takes…

Lesson 1: people will talk

Not long after the story broke, security commentators were quick to dive in with studs showing. Security researcher Kevin Beaumont described Travelex’s public response as “shockingly bad”. He pointed out that a full week after the problems began, the website continued to show the “planned maintenance” message. “Many customers will be completely unaware hackers gained access to their network, and allegedly their personal data. Travelex have a responsibility to clearly communicate with customers and business partners the gravity of the situation.”

Independent security commentator Graham Cluley struck a humorous note – as he tends to do – by making fun of Travelex’s statement that amazingly tried to put a positive spin on the situation. “Travelex continues to make good progress with its technology recovery” ran the headline in the company press release. We don’t believe in victim blaming but pretending like nothing’s happened is not the wisest public relations plan.

Lesson 2: A ransomware infection is a data breach

It also appears that Travelex did not inform the UK Information Commissioner’s Office (ICO) about the breach. As Brian wrote: “Many may think a ransomware attack is not a data breach because the data is still on the system. But if the personal data entrusted to your care is encrypted and you cannot access it or decrypt it, you could be deemed to have lost control of the data and therefore it could constitute a breach.”

Lesson 3: Incident response is not “an IT problem”

This is the key lesson from the Travelex breach, according to Brian’s editorial in Computer Weekly. “An effective response to a breach is a critical business function and is no longer the sole province of the IT department. Rather, it should be a core business competency supported by senior management with input from other business areas, such as HR, legal and compliance, public relations, customer support and the data protection team. As demonstrated by the Travelex breach, an incident can disrupt your business, with critical systems taken offline.”

Lesson 4: Integrate your response plans with business continuity

“To minimise the levels of disruption a cyber attack can inflict on your business, your incident response plan should be integrated closely with your business continuity plans,” Brian added. He urged organisations to test how effective their processes are on a regular basis. “Better to discover weaknesses in how you can respond to an incident during an exercise rather than in the midst of a real crisis,” he said.

For companies still developing their incident response plans, a useful resource is the ICO General Data Protection Regulation (GDPR)-focused checklist for handling data breaches. The UK government also offers good advice about handling media attention and crisis communications.

Good incident response can have a positive financial effect on a company as it races to manage a security incident. As security researcher Kevin Beaumont recalled, Norsk Hydro suffered a much more serious ransomware incident that left it unable to access some systems for months. Despite this, the company’s stock price rose because its communications were clear and informative. By contrast, Travelex’s parent company saw its share price fall by 20 per cent in the week following the news.

Somewhere, Dido Harding is probably breathing a long overdue sigh of relief. The former CEO of TalkTalk was the public face of an embarrassingly poor incident management plan following a major data breach at the company in 2015. Now Travelex is grabbing headlines for all the wrong reasons by showing how not to respond to a breach.