The Six Million Dollar Scam: London cops probe Travelex cyber-ransacking amid reports of £m ransomware demand, wide-open VPN server holes More than a week after its website and online services were taken offline by malware, foreign currency super-exchange Travelex continues to battle through what has become an increasingly damaging outage that may have unpatched VPN servers at its heart. London's Metropolitan Police confirmed to El Reg on Tuesday its officers …
yes, hard not to feel schadenfreunde, couldn't have happened to nicer people, etc, etc. But I do have some sympathy with their customers (even though they're serious suckers to deal with travelex in the first place). I'm sure they'd be refunded by their banks for whatever they paid for the currency they'll never get, but I'm sure the banks will drag their feet as long as they can (30 days to process claims?)
p.s. it will be interested to see if the hackers stick to their promise to destroy that personal data they allegedly grabbed. On one hand, once they get their ransom, what's stopping them from making extra profit by flogging this data, record by record, or in bulk? (this might actually be the death strike for travelex). On the other hand, if the hackers want to continue their profitable line of business, as any business venture would do, failing to keep their "promise" would work against them in the future, sending a message to future victims: you pay the ransom AND lose data, which then makes you a sitting duck against authorities and regulations (fines ahoy) and individual legal claims. So, future victims might decide to stick to damage limitation, i.e. original losses, rather than pay ransom for nothing - if travelex customer data is released.
Quote > "once they get their ransom, what's stopping them from making extra profit by flogging this data, record by record, or in bulk?"
if the ransom is paid and then the data is put out on the internet (sold or free) then there will be no incentive for the next organisation they attack to pay the ransom. These blackmailers must solicit trust to make money in the future.
Geoff
Meanwhile, the BBC is reporting that the ICO says the choice of reporting of such breaches is down to the decision of the company affected.
Travelex customers 'thousands of pounds out of pocket'
The Information Commissioner's Office (ICO) said it had not received a data breach report from Travelex.
A spokeswoman added: "Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people's rights and freedoms.
"If an organisation decides that a breach doesn't need to be reported, they should keep their own record of it and be able to explain why it wasn't reported if necessary."
Under General Data Protection Regulation, a company which fails to comply can face a maximum fine of 4% of its global turnover.
There's something odd going on here. Earlier this morning I read that linked article, now it is no longer on the front page of the BBC. Typing "travelex" into the search bar takes you to a podcast where you need to sign in. I'm not doing that!
I think there's some algorithm they employ (well, no shit sherlock), and in theory, all those articles move around their site like puzzle pieces, based on what is clicked, or viewed, or whatever (hence the occasional fun when you hear media picking up stories, quoting the beeb only to find out that the story's 5 year old but for some reason, people overlooked it, more and more clicked on it, thus the story's resurfaced to feature prominently, etc.
Obviously, given that the travelex is probably THE story, alongside the Iranian-US "debacle", we can speculate that it's highly peculiar that it disappeared from the front. Perhaps an "algorithm" has been tweaked, by pure coincidence, by an unnamed intern to bury the bad news? It certainly appears that both travelex and the authorities are trying DESPERATELY hard to make it a non-news. Which is interesting.
...given that the travelex is probably THE story...
Strawman argument. I rather suspect that, outside of specialist technical circles, the level of interest in this peaked at "yeah...…...whatever".
NB: "trending on tw@ter" does not count, as a very small minority of self-selecting people is, by definition, not representative of the population as a whole.
The decision whether to report or not has always sat with the company, which is why you see so many public sector organisations reporting themselves - particularly the NHS as it's (regardless of the bad press it constantly gets) run by ethically minded middle-managers who just want honest governance.
They also know that reporting to the ICO can help them get funds from senior managers to plug gaps generating these problems, it's a lever.
Travelex doesn't have to report, although the fact they haven't flipped back to backups shows that loss of data is absolutely guaranteed if they did so now the ICO is very interested and will query the decision not to.
Travelex are (currently) claiming no data has been exfiltrated. *If* that is true, there is no breach to be reported to the ICO.
If it turns out that a bunch of IP addresses has been exfiltrated, it may be possible to argue that "people's right and freedoms are not at risk". If email address, password hash and salt have been exfiltrated ... not so much.
But I'm sure the execs will get off scot-free.
Free, a big promotion and a raise (in the currency of their choosing).
The Information Commissioner's Office (ICO) said it had not received a data breach report from Travelex.
Maybe because Travelex's email isn't working?
I doubt if the execs will get off "Scott free".
They might not have a company to come back to in a couple of weeks! Depending on how they handle things now, they could lose many of their contracts with banks and supermarkets, which could start them on a downward spiral even if they survive January.
I doubt those execs are sleeping comfortably at the moment, and the CEO / CTO will struggle to walk into a new role after this bad publicity.
From the Guardian:
Travelex 'being held to ransom' by hackers said to be demanding $3m
"They are reportedly threatening to release 5GB of customers’ personal data – including social security numbers, dates of birth and payment card information – into the public domain unless the company pays up."
I very much doubt they'd ever release it "to the public domain", unless they work to bring travelex down, there's no profit for them in such a release. At most, they would release a few records to verify their claim. Flog the data on black market, that's another matter. But this also comes with more and more risk these days, as authorities become more clued up. The most ideal situation would have been for the hackers to do it all quietly - inform the company, demand ransom, get the money, end of story. Clearly, travelex wouldn't play ball, so the hackers made the information public, to put some pressure on the company. However, the longer it drags on, the less chance ransom gets paid, and more chance that the UK (and probably US) full state resources will be directed to track them.
Ransoms should never be paid. It only encourages the perpetrators to do it again. I know it can be tough when Aunty Maud has been grabbed but think about Uncle Bill - he could be next.
If no-one ever gave into ransom demands there would be far fewer kidnappings. Every time demands are met it perpetuates the crime.
Alternatively, if you (or Uncle Bill) read Kipling's Danegeld, you get the general idea
"For once you have paid him the Danegeld, you'll never get rid of the Dane"
Icon: to Rudyard, still one of the best authors in the English Language, and still a poet of our times.
sadly, reality is different. To the point that some security experts (yes, they know their techie stuff), albeit in another country, openly declare they recommend their clients pay up. And snort at those who point out something seriously wrong in such declarations, as in "yeah, well, grow up!" :(
"They are reportedly threatening to release 5GB of customers’ personal data – including social security numbers, dates of birth and payment card information – into the public domain unless the company pays up."
so is this a ransomware situation or not?
... because all the computers are switched off, and the data on them has been encrypted anyway.
Of course, once the professionals get in to the systems and look at the logs we'll find that there *IS* evidence of data exfiltration, going back months, but by then the execs will all have "retired" on big fat bonuses...
Don't believe that fully patched systems are going to protect you from attack.
On a daily basis we are seeing phishing emails that lead to legitimate looking Google/365/LinkedIn web pages where people merrily give away their usernames and passwords.
Focus on educating people as well as patching systems
true dat,
There should never be a legit situation where following a link leads to giving away your password.
The muggles should be told - never do that.
And businesses should get there shit together and stop offering such links and just say
"go to our website and login"
They dont help themselves!"
Yep,
Certainly they spent a lot of the last decade phoning up and asking security questions. Don't know whether they still do and I'm just on an 'awkward list' of people who never reveal any information on any incoming* call.
*it's still 'incoming' IMHO if you made the call because someone texted or emailed you the number.
"Don't know whether they still do and I'm just on an 'awkward list' of people who never reveal any information on any incoming* call"
They still do, and I still tell them I will ring back on one of the bank's normal telephone banking numbers. And WHY am I such a git about this ? I had one cheeky bastard try the "Hello Sir, I am from your bank" opening gambit on me.
"What's my name ? Which bank ?"
*click*
Yes, it's a new decade, and people still fall for this crap.
"What's my name ? Which bank ?"
*click*
If only that worked for "which accident was that, then?" because they then rabbit on as if convinced you really did have an accident.
Then I ask them who they want to contact.
When they say "Michael Rodent", I suggest they think carefully about that name. Rarely does the penny drop.
(I filled in the webform about 4 years ago. They still call. Mr Rodent broke every bone in his body in that accident.)
It is 2020, what was the customer data and critical systems doing on Windows boxes, rather than Linux with a snapshotted file system underpinning the storage?
At the places I have worked since 2006 this kind of ransomware would mess up finance, HR etc. But the real customer facing work would be unaffected. And those affected systems would be rebuild with a clean client OS and up and running relatively quickly. Once HR and the bean counters figured out how to recreate their shortcuts, so over a week sounds reasonable...
Linux has it's own problem, underlying issues here are a culture of not funding and/or caring about information and cyber security.
If they did at most they'd be back up and running already and saying "we lost X amount of data, sorry ICO".
Instead they are still down, still clutching at straws and in PR damage limitation mode.
"Instead they are still down, still clutching at straws and in PR damage limitation mode."
It's worse than that - they are at "Instead they are still down, still clutching at straws and in PR damage limitation mode AND considering paying £3 million because they think they may get their data back because it looks like it might be gone for good"
"It is 2020, what was the customer data and critical systems doing on Windows boxes, rather than Linux with a snapshotted file system underpinning the storage?"
If you think you are safe from attacks, viruses and malware just because of a particular technology choice, then you're both sorely mistaken and I wouldn't be surprised if you've already been done over without knowing it.
Security isn't actually a technical issue per se, it's cultural. As posted above, a properly configured Windows Server is more secure than a poorly configured <insert OS of choice> server.
End user education, tiered security, least user access, well trained administrators and strong processes including the assumption you WILL be compromised (and thus have a strong, tested, offline backup) are SOME of the measures to help mitigate security issues.
Changing an OS is like changing the brand of car you drive. How you drive and maintenance of the vehicle make far more difference to how likely you'll be involved in a collision.
This is all well and good and indeed I agree entirely that attitudes and good processes are essential.
But Windows does have an atrocious track record in security and whilst there is now some ransomeware out there which attacks Linux, the majority by a very long shot targets only Windows which in itself makes it a poor choice of OS in my view. (I caveat this that if everyone switched to something else I'm sure the crims would then target the next most popular OS)
No OS is perfect but M$ has historically been very late to the security hardening party. Plus at one end they're patching vulnerabilities like there's no tomorrow whilst at the other end they're putting out a constant stream of Swiss cheese applications and technologies, often using their world domination to push them to everyone, and creating vast new attack surfaces.
Windows has no place in the server market IMO and M$ knows it, hence all their desperation to embed Linux into Windows and support server development.
The ageing execs who still doggedly hold on the the mantra that nobody ever got fired for buying Microsoft and insist on it being the only corporate 'approved' OS are probably the only reason why some of the biggest names in software still produce a Windows version of their product. And the typical word on the street is that much of it doesn't run as well and/or lacks features and/or isn't very well supported when compared to the Linux version.
Choose a mainstream Linux distro, Choose *.BSD, hell, choose Solaris if you have to. Choose well established and well trusted open source software where possible. Follow best practice guides, keep patched.
But keep Windows limited to Noddy desktops for running Excel, games, CAD or whatever and don't try and run backend services on it - it won't end well :-(
The reason there is less malware for *nix is low adoption rates among the unwashed. Writing malware is a business, as a business you have to think of ROI.
If i write a nasty piece of code for *nix i will have the opportunity to infect and gain money from x% of the world, if i write for windows i will have the opportunity for X%
I'm pretty sure there are a massive ammount of *nix exclusive attack vectors that havnt been descovered or exploited simply because its not worth investing the time and effort involved in finding them.
I have no particular allegance to any OS but its simple economics.
The Unix philosophy was always KISS - Keep It Simple, Stupid. It started that way in Linux too.
Windows can never, ever be described as having that philosophy.
The tools (even today when systemd is the final nail in the coffin of that philosophy) to detect an APT remain far simpler for Linux than Windows.
Plus, once you have the AD you have the entire corporate network. Every single bit of it. The Keys to The Kingdom.
Obviously spoken as someone who has no idea of how to secure a modern Windows OS on a server. No, it's not perfect, but no OS is.
In terms of assumptions about Windows, the most harmful one is that "it's simple" and "anyone can manage it". Well, anyone actually can't in an enterprise, securely, but when bosses insist on paying for new graduates rather than people with actual experience and preferably proper security experts to come up with proper hardening practices, and NOT paying for the remediation that needs to happen to deal with the stupid insecure practices they've been perpetuating for many years that MSFT themselves have often been deprecating for literally decades... Not to mention fellow techs who whinge about not getting domain admin or other global and highly-privileged rights when they don't actually need them.
Which, by the way, many *nix-based vendors have perpetuated - how many SAN or printer or xyz manufacturers have SMB1-only baked into their firmwares until recently (or still)? One large printer manufacturer I dealt with literally only began supporting SMB2+ in a firmware release 2 years ago. It's been deprecated for over a decade. Yes, businesses do in fact buy printers for "scan to network" features, and yes, they will chose devices that offer that vs those that don't.
Not to mention the vendors who also perpetuate the problems by saying that the current version of their product will only be supported on SQL 2008, for example, because it hasn't been "validated" on a newer SQL version. In the instances they want a crappy old version of SQL, it's because the product itself has been written to use some horrible insecure "sa" logon or something similar. Try telling a hospital they can't use the software that runs their MRI. Or tell a public health service they have to spend multi-millions on an upgrade once the vendor finally gets around to updating their garbage, ahem, software. Which often entails a significant version jump and expense and risk since no-one's done such a thing since it's been installed, and it can't be handled by the usual support staff (at least not without a lot of testing and training, and perhaps training the users, if the version upgrade has also bundled in significant UI changes etc etc etc etc).
Then you have vendors saying their software requires domain admin rights - thank you, Commvault - and many other similar idiocies, because they can get away with it, and there are not sufficient numbers of people with the expertise to question these blanket statements. I wish MSFT would slap down these "partner" software vendors and make them provide better information to their customers.
"It is 2020, what was the customer data and critical systems doing on Windows boxes, rather than Linux with a snapshotted file system underpinning the storage?"
In a lot of cases I'd agree with you. That would be the consequence of running a monoculture and getting phished.
However it looks as if this was the consequence of a failure to protect their VPN against intrusion and the intruders have been able to take their time. By now they'd probably have acquired admin credentials on the Linux boxes. I doubt there's anything beyond a dumb printer in there that could be trusted by now.
Cant understand how the virus got on their unless the systems were not kept up to date? or the systems were so out of date they were no longer protected?
The fact that they're back to pen and paper as well. That's just incredible. Business continuity must be none existent given they've been down since new year's day.
I bet they're still trying to figure out which systems are affected and they cant turn on the machines, while connected to the network (for fear of infecting others). Which would mean they're having to do it manually, one machine at a time.
Cant understand how the virus got on their unless the systems were not kept up to date?
You cant?
Being up-to-date is not a 100% solution for complete cyber security.
Its just one of the most important steps.
That vulnerability was there since version X was released , some time later the vendors realised that and issued patch Y
All of the time datediff( x, y ) the system was up to date and yet still vulnerable to this attack.
True. But she got the NHS gig _after_ TalkTalk. So, somehow, out of all the people in the world the NHS could've employed, Dido Harding was the person they chose... and I imagine she went through a blind recruitment process so there's no chance nepotism had anything to do with it. <innocent-face>
Clearly someone not reading from the same page.
From The Register
"In a statement to the media, Travelex confirmed it had fallen to a Sodikinobi ransomware infection, though claimed no data had been siphoned off and stolen."
From BBC news
'Dates of birth, credit card information and national insurance numbers are all in their possession, they say.
The hackers said: "In the case of payment, we will delete and will not use that [data]base and restore them the entire network.
"The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base."'
Never the less. Appointing CEO with no appreciation of security should be discouraged!
whenever (that's two counts) I tried to buy cash at Thomas Cook (well, last minute rush), they "asked" for my name, ID and postcode. To which I promptly asked "what for, why?" to which I received a polite equivalent of an "I don't give a fuck, you want this money or not?" shrug, to which I responded in kind, and walked out (and yes, there are placed where you don't need all this, and it's still legal). But then, how many people, in the days of I WANT IT NOW, I MUST HAVE IT NOW, walk away? ANYONE? Truth is, their nosiness is, at least partly due to anti-money laundering regulations that are slapped, particularly on large-scale businesses. Not that those regulations are very efficient, given how well they can be circumvented by various, semi-legitimate offshore schemes...
in 2005 I went to the UK without a quid in my pocket as my bank branch was out of UK currency. After about 4 days of visiting and paying for everything with my credit card, I was in London about to visit the Tower and saw an ATM, walked up to it put my card in and withdrew a bunch of UK currency. Easiest FX I have ever done.
From April 2017: https://www.peterboroughtoday.co.uk/business/leading-peterborough-employer-to-move-city-jobs-to-india-1-7896706
"Foreign exchange company Travelex, based in Worldwide House, in Thorpe Wood, has been consulting with staff for months over its plans to move some jobs to Asia. It is understood that about 75 finance jobs will be lost to Peterborough. Travelex employs up to 400 people in Peterborough. The remaining staff cover a variety of functions including human resources, IT and customer service. It is understood that the company is seeking to make the redundancies to improve efficiency and to cut costs."
Sounds like only finance roles were relocated, not IT. Would be interested to hear more from any present or former insiders.
Not looking at Travelex in particular but the business model of all high-street bureaux de change is to live in the margin generated by offering retail customers about 6% worse buy/sell exchange rate in comparison to the actual market rate. Now that consumers can pretty much get the real rate anyway (via Revolut et al) then what's the future for the bureaux?
Yup. I just paid about 3.5‰ (that's permill, not percent) to change CHF to EUR with Transferwise.
Admittedly that's on 10,000 CHF, and it was an electronic transfer. If you want to get €100 in paper notes for starting cash for your holiday, there is always going to be a (significant) cost to that.
don't mistake your knowledge / interest (revolut, etc.) with that of the "general public". Or the power of "convenience". I'd think that travelexes of this world would have been long gone, and yet, every time I pass a UK airport, I see their counters, always a couple of travellers being ripped off, and never looking too distressed about that. So, clearly, there's a still a huge market of those who don't know, or don't care to get the best (or good enough) deal.
I find it astounding how many people still, quite willingly, pay huge amounts of commission and/or accept terrible rates from banks and bureaus.
For any holiday travel in Europe you can get completely free cash and card transactions from Metro Bank (or the new Fintech companies although I have no experience of them yet) - if you're lucky enough to be near Metro branch you can turn up with a few ID documents and walk out an hour later with a working debit card plus online banking.
Like with credit cards they'll use either Visa or MasterCard's standard exchange rate which always seems to be the best us mere mortals could ever get and usually matches the rates on the likes of xe.com
For further afield there's Halifax's 'Clarity' credit card with zero fees worldwide. If you withdraw cash then they'll charge interest from the point of withdrawal (but crucially, no fees) - a savvy customer might use their online banking to instantly pay off what they just withdrew and then the interest is zero as well ;-)
The above two options have served me well for about 8 years now. Last time I used any kind of bureau must have been over 10 years ago.
Will I miss Travelex? No.
I do hope that all the customers manage to get their money back.
I was particularly dismayed to see that the website says that it's under maintenance. At least the UK website did. The US website says they've been hit by a virus. Nice to see they're being so open and transparent, a bit like their exchange rate prices. Set Schadenfreude to maximum!
This is not a new problem for Travelex. This is years of neglect. In a former job I was a hiring manager for a security department. We had one vacancy. Every single person from the local Travelex I.T. team applied for the role and every single one told the same story during interview of the lack if I.T. Security investment within the company. It's been a car crash waiting to happen for years.
I imagine senior management will pull the same old "we're the victims" like TalkTalk and Vodafone have done previously. We can only hope they're hit with a massive GDPR fine as a warning to others.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
