Travelex Ransomware Cripples Establishment Banks Worldwide
Hackers planted powerful ransomware on a major currency company’s servers. The breach clobbered operations at several big banks, and the responsible party wants $6 million. If they don’t get it, they’re threatening to sell the data to black-market buyers. Could you be affected by the Travelex New Year’s Eve hack of 2020?
Travelex Owned by Ransomware
On New Year’s Eve, Travelex, the London-based currency exchange that operates in 70 countries, discovered Sodinokibi and REvil, two ransomware strains, on Travelex’s software. The company says it contained the problem and doesn’t think customer data has been compromised. Simultaneously, Travelex admits it doesn’t yet have a “complete picture” of the situation.
Hackers taking responsibility for the event told the BBC that they planted the ransomware on the system six months ago. In that time, they’ve come across “sensitive customer data.” They also set a date of January 14th for Travelex to hand over $6 million. (As of this writing, 21 days post-hack, there has been no word, except that the company’s machines are still offline.) If Travelex didn’t comply, the hackers threatened to sell the info to buyers with presumably exploitive goals.
Establishment Banks Caught in the Ransomware Crossfire
Establishment banks, like Royal Bank of Scotland, HSBC, and Barclays use Travelex for their currency exchange arms and were subsequently walloped by the breach. Three weeks after the hack’s discovery, employees at the banks are still working like it’s 1989 and doing calculations by hand.
EU May Slap Travelex With Huge GDPR Fine For Being Hacked
Since the UK is party to the General Protection Data Rule, a comprehensive digital privacy law that allows for actions against hacked companies, officials may force Travelex to fork over millions. According to the regulation, businesses that don’t maintain sufficient data breaches safeguards must pay a fine of either €20 million ($22 million) or 4% of the previous year’s global revenue, whichever is more. In 2018, Travelex raked in about €729.5 million, which would calculate out to about a €9.52 million fine.
On the GDPR front, things don’t look great for Travelex. Security professionals reportedly informed the company of its vulnerabilities months ago, and it didn’t act.
Officials in the UK and EU are investigating the case. A representative for Finablr Group, which owns Travelex, said it doesn’t expect to suffer “material financial impact.”
Despite the firm’s confidence, its stock plummeted 15% on the London Stock Exchange.