The year started in possibly the worst possible way for Travelex. As bells rang out to welcome in 2020, the currency exchange’s operational and reputational nightmare was just beginning. Hackers had launched a major cyber attack which caused the firm’s website to be taken down and its offices in multiple countries to resort to pen and paper, according to reports. A ransomware gang claimed to be behind the attack and demanded Travelex pay £4.6m.
It wasn’t until almost a fortnight later, on January 13, when the business started to switch in-store systems back on again. But by then it was too late to save the company’s reputation – the damage had already been done.
Transparency is key in maintaining customer trust, especially for firms in the financial services industry. Unwisely, Travelex took too long to inform its customers about what had taken place and putting up a press statement on the website days after the event simply wasn’t good enough.
So what can we learn from the Travelex data breach and what can organisations so to ensure they are protected from similar attacks?
Lesson 1: Respond transparently and quickly
The first lesson we can learn is how to respond to a breach. All organisations have a responsibility to keep customers informed when their systems are breached by hackers. This applies even if no data has been lost which is what Travelex claimed. Of course, companies need to balance the need to communicate with customers quickly, against the need to ensure information communicated is accurate. However, it’s imperative to provide customers with some level of assurance that the incident has been or is being dealt with.
All companies also have certain obligations as a controller under Data Protection legislation; one of which is to report personal data breaches to the supervisory authority. If the breach is covered by the General Data Protection Regulation (GDPR), companies need to assess if the breach needs to be reported to the supervisory authority and do so within 72 hours but also to the National Cyber Security Centre (NCSC).
Lesson 2: Learn from past mistakes
Getting the response right was especially important for Travelex considering the company suffered a breach in 2018 which exposed the personal details of 17,000 customers.
It’s important that business leaders learn from past incidents involving their own and also other organisations, and build those learnings into a singular cyber response/resilience plan. Having the right processes in place in good time is critical in being prepared for an attack. A robust cyber strategy should include technical aspects like replicating data, off-site backups, network segregation, firmware updates and even regular penetration testing. It also covers response — not just in fixing the issue, but in informing the wider business, the media, and most importantly customers.
Lesson 3: Don’t let yourself be at risk from ransom demands
The gang behind the Travelex hack, Sodinokibi, told the BBC it wanted Travelex to pay £4.6m and whether this was paid or not we may never know. Companies often question whether they should pay the ransom in such scenarios, but the negatives always outweigh the positives. If you pay, in theory, you regain access to your data and systems and business can continue. However, there’s no guarantee you’ll actually get access restored.
There’s also no guarantee that the data hasn’t been stolen already, before it was encrypted. This is happening more and more in the industry and it is likely that that the data will be sold or stored by the hacker. Then of course there are the wider ethical considerations about paying attackers who could use the money to fund other criminal enterprises.
The likelihood of having to answer the “pay or not pay” question is greatly reduced entirely if organisations put in place a strategy containing all of the preventative actions mentioned above.
Regardless of industry or company size, there is no room for complacency. Cyber threats are changing daily, so it is more important than ever that organisations have the right processes, controls and security measures in place. All organisations are at risk because everyone has something of value to lose, whether that’s access to systems, intellectual property or customer data.
Having a plan in place to mitigate risk is essential and prevent, detect and respond are the three key elements to live by. These should cover everything from the business impact of an attack, technical considerations on how to prevent them, as well as how to respond to stakeholders, customers and staff. Only with these processes in place can organisations avoid the reputational damage suffered by Travelex in the event of a similar attack.
At Bridewell Consulting we are in it for the long term. As a trusted partner, our team of experts can assist you on your cyber security journey and beyond. For further information or a no commitment chat, on any of the above, please get in touch here or give us a call on 01189 255 084.
Written by James Smith – Head of Penetration Testing and Principal Security Consultant