Travelex Still Offline After a Sodinokibi Ransomware Attack

By Bill Toulas / January 8, 2020

Travelex has fallen victim to a REvil/Sodinokibi infection on December 31, 2019, and all of its websites remain offline for the time being. The London-based foreign exchange company is now held hostage of the ransomware actors who are demanding the payment of $3 million in Bitcoin. To increase the pressure, the malicious actors are also threatening to release some of Travelex’s customer data to the public, so this is a catastrophe for the firm. Right now, the company is working together with the National Crime Agency (NCA) and the London Metropolitan Police’s cybercrime department to investigate the incident.

Travelex operates in over seventy countries and has 1200 retail branches. It’s global banking partners include Barclays, First Direct, HSBC, Sainsbury’s Bank, Tesco, and Virgin Money, so the negative effects of this attack on foreign currency exchange are global. As there are no clarifications or timelines for when the systems will return to normal operational status, we can’t say for sure if Travelex is planning to pay the ransom or restore from backups. According to unnamed sources, the actors managed to encrypt the entire network of the firm, and also copied more than 5GB of personal data of customers, including credit card details, social security numbers, and dates of birth.

Tony D’Souza, an executive of Travelex, has made the following statement: “Our focus is on communicating directly with our partners and customers to protect them and their information from any further compromise. We take very seriously our responsibility to protect the privacy and security of our partner and customer's data as well as provide an excellent service to our customers and we sincerely apologize for the inconvenience caused. Travelex continues to offer services to its customers on a manual basis and is continuing to provide alternative customer solutions in the interim. We are working tirelessly to bring our systems back online.”

The issue here is that Travelex hasn’t taken the responsibility to protect its customers very seriously in reality, no matter what they are telling the public now. As it seems, the hackers exploited a Pulse Secure VPN vulnerability that was known since August 2019, and which was analyzed in detail by Devcore researchers back then. Carrying the identifier “CVE-2019-11510”, the exploited flaw was already patched at the time of its publication, but the researchers detected that hackers were targeting unpatched systems since then. According to more revelations, Travelex was warned that they remained vulnerable once more on September 13, 2019, and again, they did nothing about it.

Chris Morales, head of security analytics at Vectra has provided the following comment for us: “Any vulnerability in the remote access of a network is a big deal. The security industry rates vulnerabilities with a score from 1-10 based on ease of exploit and the impact of exploit. In the case of a VPN vulnerability, if it was remotely exploitable from the internet and gave an attacker the same level of access as an approved remote user, then this would have been scored a high priority and should have been addressed immediately. I don’t know all the variables at play specific to Travelex, however, it is a shame that vulnerability management and patching are still difficult to do.”

Do you feel that Travelex had it coming? Will you be trusting the company again as a customer? Let us know where you stand in the comments section down below, or join the discussion on our socials, on Facebook and Twitter.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: