The world’s largest foreign exchange company, Travelex, experienced a cyberattack on New Year’s Eve which took its website out of action and affected companies such as Tesco, Barclays, and HSBC which used its FX services. Since the attack occurred, Tesco, Sainsbury’s, and other companies that use Travelex FX services have been unable to provide online currency exchanges to their customers.
Travelex discovered a virus on its network on New Year’s Eve. Its website was taken offline as a precaution to contain the virus and protect data. The website is still down and there are no indications when it will be brought back online. The website currently says “Our online, foreign currency purchasing service is temporarily unavailable due to planned maintenance. The system will be back online shortly.” Without access to the online services, Travelex has had to perform currency exchanges manually over the counter in its branches.
Staff have been working round the clock to remove the virus and restore its systems. The investigation into the attack is ongoing, but Travelex has issued a statement saying that so far, no evidence has been found to suggest that any personal or customer data has been compromised.
No information has been released about the type of virus and how it was downloaded onto its network. Unconfirmed reports from insiders suggest ransomware was installed which encrypted files and prevented them from accessing their computers.
Recently, the FBI issued an alert about the growing threat of ransomware attacks involving LockerGoga and MegaCortex ransomware and, just before Christmas, Maze ransomware. These ransomware variants are often deployed as a coup de grace several months after a network was first compromised. While system access is possible, the attackers scour the network and steal sensitive information and gain access to as many devices as possible before ransomware is deployed.
One theory put forward by security researcher Kevin Beaumont is the attack took place via remote desktop services. Beaumont said on Twitter “Travelex’s AWS platform had Windows servers with RDP enabled to internet and [network level authentication] NLA disabled, oops.”
Public-facing Windows servers require NLA to be enabled to ensure individuals are authenticated and have to login before being granted access. Travelex was also using Windows Server 2008 R2 with .NET 4.0.30319 and computers were running Windows 8. These operating systems are out of date, and support for Windows 8 comes to an end on January 14, 2020.
Travelex is no stranger to security breaches. On 2 March 2018, it discovered the personal information of 17,000 Tesco Bank Travel Money customers was compromised between 14 December 2016 and 23 January 2017.