The double-whammy of getting hit with a ransomware attack last New Year’s Eve that sidelined its global operations for two-and-a-half weeks coupled with COVID-19’s toll on air travel, put currency exchange provider Travelex into administration, the U.K. equivalent of bankruptcy, late last week. If internal assessments are correct, the situation serves as an example of the economic impact of ransomware and other cyberattacks.
Paying the ransom does not prevent an organization from incurring other expenses and losses, noted Caroline Thompson, head of underwriting at Cowbell Cyber, adding that attacks such as what happened to Travelex will generate damages that will go far beyond the ransom payment itself. “Business interruption can cause revenue loss, reputational harm, even compromised data, which a cyber insurance policy can cover,” said Thompson, who believes an organization’s best preparation for a ransomware attack is to always have a readily available backup.
Travelex’s financial woes come as no surprise, considering its Abu Dhabi-based parent company, Finablr, said March 2 – just two months after the attack – that it expected to take a £25 million earnings hit as a result, even though the company had a cyber insurance policy.
The timeline of the lead-up to the Travelex incident and its aftermath seems to indicate that a mix of possibly costly security missteps that helped lead the company to its current fate. In September 2019, a cybersecurity firm said it had alerted Travelex to vulnerable VPNs. The company did not respond. At the time, the currency exchange provider operated more than 1,200 ATMs in 27 countries and processed 5,000 transactions per hour.
“For some organizations, such as financial trading or others that conduct rapid business transactions, downtime can result in large-volume financial losses, not to mention disruption of ongoing productivity,” said Tony Cook, director at the Crypsis Group.
In the Travelex case, empty airports for the past few months because of the pandemic probably had more to do with its recovery problems than the ransomware attack itself.
“Disruptions culminate with the business either having to pay a hefty ransom, or, in some unfortunate cases, business dissolution for those that can’t afford to pay the asking price,” Cook noted, speaking generically.
Following the crippling, targeted REvil/Sodinokibi attack that New Year’s Eve, Travelex reportedly paid a ransom of $2.3 million in bitcoin. The company’s Abu Dhabi-based parent firm, Finablr, then commissioned PwC to sell Travelex but the effort apparently failed. In the meantime, a restructuring cut 1,309 jobs but saved 1,802 jobs in the U.K. and another 3,635 positions globally.
Criminals behind various ransomware variants are working to produce more persistent revenue streams, damaging their victims in new ways, he pointed out. Many malicious actors have shifted their tactics to carefully target larger companies with the objective of exfiltrating as much sensitive data in the environment – although Travelex contended this did not happen – as possible to extort companies into paying the ransom.
“We’ve seen numerous cases where threat actors are providing organizations a period of time to pay; if they don’t, a sample of the exfiltrated data is uploaded to a shaming site,” Cook said, adding such an occurrence is destructive to a company’s image, leading to a loss of customer confidence and negative repercussions on their business as a whole.
“Depending on the data exfiltrated, this new flavor of ransomware attack could lead to the loss of PII, ePHI, credit card numbers, credentials, etc., which can have a lasting effect on the brand and result in class action lawsuits against the company,” he said.