This website only stores essential cookies to function properly. With your consent, we will use additional cookies to improve the browsing experience. Please click on "Allow all cookies". For further information and to withdraw your consent at any time, please visit our Privacy Policy page.

Lessons from the Travelex hack

Lessons from the Travelex hack

Patrick Rozario

Another high profile cyber-attack was publicised over the new year, when Travelex, the world’s largest network of bureaux de change with more than 1,000 stores and 1,000 ATMs around the world, announced that some of its services were compromised by ransomware. As a precautionary measure, Travelex immediately shut down all its systems to prevent further spread of the malware across its networks.

Ransomware is a type of malware that prevents or limits users from accessing their systems, either by locking  system access or by locking the users' files unless a ransom is paid. More advanced iterations of ransomware include encrypting certain file types on infected systems and forcing users to pay the ransom through cryptocurrency.

The ransomware attack has had a knock-on impact on foreign exchange services, affecting banks like Lloyds, Barclays, HSBC and RBS. When everyone tallies the financial impact in the aftermath of the ransomware attack on Travelex, it may reach to tens of millions of dollars if not in hundreds of millions.  

In the last number of years, there have been several major cyber security breaches involving large organisations. One of the common elements among these targeted organisations is that they host considerable amounts of personal information. Unauthorised access to personal information could lead to illicit financial gain which is the most common driver of data breaches.

The 2019 Verizon Data Breach Investigations Report (DBIR) provides a crucial perspective on cyber threats that organisations face today. The 12th edition of the DBIR is built on real-world data of security incidents and data breaches provided by 73 data sources, both public and private entities, spanning 86 countries worldwide. Incident refers to a security event that compromises the integrity, confidentiality or availability of an information asset. Breach refers to an incident that results in the confirmed disclosure (not just potential exposure) of data to an unauthorised party.

To combat this, organisations can deploy anti-ransomware technology such as block executables at their email gateway, disable macro-enabled office documents, stopping malicious JavaScript starts and keeping browser software up to date to remove vulnerabilities. Additionally, staff awareness and training on cybersecurity is also crucial. However, the most important task any organisation could do is make sure that they back up critical data regularly and consistently, at the same time filtering out malicious emails and websites. If a ransomware attack is successful, these organisations would at least have their important data elsewhere for recovery.

According to the Verizon 2019 DBIR, 52% of breaches featured hacking in which 70% are web-application attacks (any incident in which a web application was the course of attack, this includes exploits of code level vulnerabilities in the application as well as thwarting authentication mechanisms), 33% included social attacks, 28% involved malware, miscellaneous errors account for 21% of breaches, 15% were misuse by authorised users, physical theft and loss were 4% of breaches. Many of these actions overlap, hence the percentages are over 100%.
Some best practices to prevent breaches are establishing asset and security baseline around internet-facing assets like web servers and cloud services, these can include:
  • network segmentation, many breaches are a result of poor security and lack of attention to detail;
  • performing web application scanning and testing to find potential vulnerabilities, web application compromises now include code that can capture data entered into web forms;  
  • implementing 2FA (two-factor authentication) on everything, while 2FA is not perfect, there is no excuse for lack of its implementation;
  • tracking insider behaviour by monitoring and logging access to sensitive data;
  • protecting systems from DDoS (Distributed Denial of Service) which include guarding against interruptions with continuous monitoring and capacity planning for abnormal traffic.
DDoS attacks are designed to overwhelm systems, resulting in performance degradation or interruption of service; staying socially aware, social attacks are effective ways to capture credentials, monitor email for links and executables, conduct awareness training for your staff  to report potential phishing or pretexting; last but not least, applying timely patches to your operating and application systems are critical.

In relation to this Travelex cyber-attack, a number of interrelated topics have arisen for interesting argument and debate. One topic is, should a ransom be paid? Europol (The European Union Agency for Law Enforcement Cooperation) has regularly stated that paying fuels criminal activities. Initiatives like the “No More Ransom Campaign” encourage victims not to give-in to hackers’ demands.  However, companies could spend a lot more in recovering operations than in paying the hacker.

It is critical that any organisation implements a cyber-security framework like the one published by NIST (National Institute of Standards Technology), as it is intended to help organisations to manage and mitigate cybersecurity risks.

The NIST Cybersecurity Framework is organised into 5 functions:
  1. Identify:  develop the organisational understanding to manage cybersecurity risk to systems, assets, data, and capabilities;
  2. Protect: develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services;
  3. Detect: develop and implement the appropriate activities to identify the occurrence of a cybersecurity event;
  4. Respond: develop and implement the appropriate activities to take action regarding a detected cybersecurity event; and
  5. Recover: develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
Irrespective of the type and amount of data an organisation maintains, there is always someone who is trying to steal it. Having a good understanding of the vulnerabilities and threats that an organisation and its peers face, how they have changed over time, and which hacking tactics are being employed could help to prepare the organisation to manage these risks more effectively and efficiently.

For advice on cybersecurity in your business and operations please contact your local Moore office or Patrick Rozario at