It’s a bit early to declare there’s a new trend in ransomware attacks, but the devastating hack of Travelex currency exchange systems includes a twist that should concern many large corporations — hackers claim they have combined a crippling data encryption incident with an embarrassing data breach to severely up the stakes on their extorion demands.
To catch you up, world travelers have been struggling to obtain currency since New Year’s Eve, when Travelex systems were compromised by ransomware, and the firm’s systems were taken offline. The hack is particularly disabling because Travelex is the service provider for hundreds of global banks — meaning many travelers are unable to obtain currency online. Some consumers are stuck without cash needed to travel; others were in mid-transaction when the hack hit, leaving them in limbo. The firm is currently directing travelers to in-person kiosks, where transactions are currently being tracked by pen and paper. An employee who contacted the BBC said his Travelex computer has been inoperative for more than a week because of the data scrambling.
The hackers have said they want $6 million for the key to unscrambling the data, which would allow Travelex to restore its systems.
Making matters much worse, the BBC says it was contacted by someone claiming to be involved in the hack, who made the additional claim that the criminals had stolen a large amount of data from the firm — 5GB of sensitive customer data, including dates of birth, credit card account numbers, and other personal information. So far, Travelex has denied this claim.
Are the criminals bluffing? We’ll find out. But either way, attaching a ransomware attack to a data breach is a strategy that could net hackers bigger payouts, thanks at least in part to Europe’s GDPR privacy law. It raises the possibility of large fines for companies that leak personal data.
Large firms with robust security departments should be capable of recovering from a ransomware attack using backups and other disaster recovery protocols. Several years ago, ransomware hackers began training their sites on smaller organizations — local governments, hospitals, police departments, and schools, for example. In its annual ransomware report, Emisoft said that 966 such organizations were hit last year. Ransomware actors also learned that, perhaps ironically, lowering their ransom demands made it more likely they would be paid by smaller organizations. When it’s cheaper to pay a hacker than pay a security firm, many organizations do just that, even if the FBI recommends against it.
But a combined ransomware/breach hack could change that business case for hackers. By combining a high-profile business disruption with a potentially big-ticket data heist, ransomware gangs might be back in the business of making million-dollar demands on large firms. Indeed, Rik van Duijn, a security expert in the Netherlands, says ransomware named REvil — which Travelex says was used in this attack — is currently being used to extort near million-dollar ransoms out of at least five organizations.
The Travelex hack is troubling in another way. The firm wouldn’t normally be considered critical infrastructure, but since it is the brains behind so much foreign currency exchange, disabling its services is having a big impact on travelers worldwide. This is precisely the kind of attack that shows how fragile and interconnected Western computer networks are.