Travelex on New Year's Eve
On December 31, 2019, the foreign-exchange chain Travelex took its websites offline 'for planned maintenance'. The maintenance lasted weeks; the ransom was paid in Bitcoin.
On December 31, 2019, the foreign-exchange company Travelex posted a notice explaining that its websites were temporarily down for planned maintenance. The notice held for days, then weeks. Travelex bureaus inside airports and shopping centers across the world stopped processing currency online and fell back to handwritten paper transactions while staff awaited rate sheets from London by email.
A patch that did not happen in time
The intrusion exploited a Pulse Secure VPN vulnerability for which a patch had been available since the previous April. The attackers — operators of the Sodinokibi ransomware, also known as REvil — had been inside the Travelex network for months before encrypting it. They reportedly exfiltrated five gigabytes of data and demanded six million dollars in ransom.
Travelex eventually paid roughly $2.3 million in Bitcoin to recover its systems and prevent the publication of stolen data. The parent group, Finablr, was already financially fragile. Within months of the breach, Finablr collapsed amid accounting scandals unrelated to the ransomware incident, and Travelex itself entered administration.
What the chronicle remembers
Travelex was an early high-visibility demonstration that ransomware against a payments or FX rail does not stay an IT problem for long. The brand visibility — Travelex desks were in nearly every major Western airport — made the recovery painfully public. The company's eventual administration, arriving on top of unrelated stresses, illustrated the cliché that ransomware rarely kills a healthy company, but it can be the final shove for one that is not.