View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 3, 2020updated 05 Jan 2020 7:51pm

“Virus”-Crippled Travelex Was Running Windows 8, RDP Connected to Internet

Users left stranded with no access to FX

By CBR Staff Writer

Three days after foreign exchange provider Travelex pulled its systems offline after discovering a “software virus” on New Year’s Eve, the company’s UK website remains unavailable and partners from Barclays to Travelex have been unable to offer online currency services through Travelex, which provides them with FX services.

Security experts say the company — which is FCA regulated and was running a payment platform on AWS — appears to have showed signs of poor network segmentation.

As Drew Perry, CEO of security firm Tiberium noted to Computer Business Review: “Its ‘digital transformation’ appears to have only covered its estate (hosted on AWS using Cloudfront) while its UK domain remains down and is hosted on its own BT provided IP, so this server must be linked to internal infrastructure.”

NHS RansomwareTravelex appears to have recently created, with its UK site still returning an IIS error page: even the company’s investor relations pages remain offline.

Security researcher Kevin Beaumont meanwhile noticed that “Travelex’s AWS platform had Windows servers with RDP enabled to internet and NLA [network location service] disabled, oops.”

Travelex also appears to have been running Windows Server 8 – aging software that will see security support end on January 14. Insiders confirmed to Computer Business Review that it was a ransomware attack and said they understood it to have been the Sodinokibi variant, although they were not able to confirm this.

One staffer told us: “Global Travelex sites are offline (excluding those operated by partners – South Africa, Brazil). Services also offline include partners who whitelabel the service including Barclays, HSBC, FirstDirect, Tesco, ASDA, Sainsbury’s, Virgin Money, NatWest, RBS, Manchester Airport and Heathrow.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

January 5 screen grab of Travelex’s developer site. Contrary to this and other updates on the site showing no issues at all this year, the company is indeed broadly affected. 

They added: “Oddly their dev centre site reports no service issues… probably not a priority. Right now, there’s little else to tell as staff are kept in the dark.”

The company is the world’s largest foreign exchange specialist, with almost 800 retail branches in more than 26 countries. It is owned by India’s Finablr, an LSE-listed financial services company that owns a range of payments and FX brands. 

Many customers reliant on Travelex’s cards meanwhile have been left stranded overseas without access to foreign currency. 

Read this: Ransomware – From Prevention to Payment

Security experts say such attacks increasingly come at the end, rather than the beginning of targeted system intrusions, with such payloads triggered after system surveillance and in some instances data exfiltration.

Travelex provided few details about the incident, saying that the unnamed virus had “compromised some of its services”. It added: “As a precautionary measure in order to protect data and prevent the spread of the virus, we immediately took all of our systems offline”, saying that it believes no customer data has been stolen.

Customers took to social media to castigate the company for its response. One, Matt Bartlett, said he had been stuck in Canada for four days as a result.

The incident comes less than 24 months after Travelex leaked the details of nearly 17,000 Tesco Bank customers. (Travelex provides Tesco Bank’s FX services).

Recent ransomware strains are increasingly sophisticated, for example bypassing Windows protections by immediately rebooting computers and running them in safe mode, where end-point protection software doesn’t run.

As Aron Brand, CTO at Israel’s CTERA told Computer Business Review last week, robustly protected back-ups are an essential prerequisite for a rapid recovery after a ransomware attack.

He said: “Make sure all of your data is reliably backed up and physically separated from the main dataset, with backup versions in a read-only repository. In the event of an attack, you can rollback to an uninfected file version and be up and running quickly.”

He adds: “If your data is outside your firewall, it must be encrypted. Keys should be generated and managed internally by trusted individuals, separate from any third-party service to ensure total data privacy.”

Updated 23:00 January 4, 2019, corrects Travelex owner to Finablr.

Banner image credit Tejvan Pettinger, Creative Commons, 2.0, Flickr. 

Read this: New Ransomware Mutation Raises Alarm over Defensive Techniques

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.