Educational & easy-to consume visual guides to understanding attacks & enhancing resilience
At Cyber Management Alliance, Incident Response is our passion. We study and analyse cyber-attacks to create informational visual timelines which can be easily read for educational purposes and to enhance cyber resilience.
For the Travelex cyber-attack, we have created a visual timeline and an accompanying detailed report. Download it now.
Don't forget to read our blog on the Travelex Cyber Attack
Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.
On New Year's Eve, 31 December 2019, Travelex - then the world's largest currency-exchange business - was hit by a ransomware attack that crippled its currency-exchange operations. The company took its websites and systems offline to contain the malware, replacing its sites with 'planned maintenance' notices, and customer-facing services in the UK were disrupted for around two weeks. The attack was attributed to the Sodinokibi (also known as REvil) ransomware group, which claimed to have encrypted Travelex's network and stolen customer data, and reportedly demanded a multi-million-dollar ransom. The incident, later compounded by the impact of COVID-19, contributed to severe financial damage and the eventual restructuring of the business.
Travelex was hit on 31 December 2019 and took its systems offline the same day. It publicly acknowledged the disruption on 2 January 2020 (initially describing it as 'planned maintenance'), and its CEO apologised on 3 January 2020. Independent researchers confirmed the Sodinokibi/REvil ransomware on 6 January 2020. Phased recovery of UK customer-facing systems began around 17 January 2020, with global systems reported as fully restored by 24 February 2020. The wider business fallout continued through 2020.
The attack was attributed to the operators of Sodinokibi, also known as REvil - a ransomware-as-a-service operation linked to a financially motivated threat group often referred to as Gold Southfield. The group claimed responsibility in communications with media and security researchers and issued ransom demands. As with most ransomware cases, the individuals behind the group were not publicly identified, and attribution rests on the ransomware used and the attackers' own claims.
Sodinokibi - also known as REvil - is a strain of ransomware first reported by Cisco Talos in April 2019 and operated on a ransomware-as-a-service (RaaS) model, meaning affiliates use the malware in exchange for a share of the proceeds. It is associated with the financially motivated Gold Southfield group. The malware encrypts victims' files and has been used in numerous high-profile extortion attacks, typically demanding cryptocurrency payment in exchange for a decryption key and a promise not to leak stolen data.
Reporting attributed the intrusion to unpatched Pulse Secure VPN servers affected by the critical vulnerability CVE-2019-11510. Travelex reportedly ran seven unpatched Pulse Secure VPN servers; the flaw had been disclosed and patched by Pulse Secure in April 2019, and security researcher Troy Mursch of Bad Packets had publicly flagged Travelex's exposure in September 2019. According to reporting, the warning was not acted upon, leaving the vulnerable VPN as the likely entry point. Travelex did not officially confirm the exact attack vector, and some reporting also referenced weak access-control configuration on cloud-hosted Windows servers.
Travelex initially said its own investigation had found no evidence that customer data was compromised. However, the Sodinokibi group claimed to BleepingComputer that it had encrypted Travelex's entire network and exfiltrated more than 5GB of personal data, said to include customers' dates of birth, card information and other details, with some reports also referencing national-identifier data. The attackers threatened to publish the data if a ransom was not paid. The full extent of any data theft was not independently confirmed.
Travelex never officially confirmed paying a ransom. However, multiple reports - including a Wall Street Journal story in April 2020 - stated that Travelex reportedly paid around $2.3 million (about 285 Bitcoin) to the Sodinokibi group, with the payment believed to have been made between 6 and 17 January 2020. The attackers had initially demanded a larger sum, reported at around $3 million, threatening to publish stolen data if it was not paid within seven days. None of these figures were officially confirmed by Travelex.
The impact was severe. Travelex reported an expected quarterly loss of around £25 million, which it attributed to the combination of the ransomware attack and the emerging COVID-19 pandemic. Its parent company Finablr saw its share price collapse by roughly 80% in March 2020, and Travelex was ultimately put up for sale. In August 2020, as administrators from PwC handled a restructuring, around 1,309 UK employees were made redundant. Reporting consistently framed the collapse as the result of the 'twin shocks' of the cyber attack and COVID-19 rather than the attack alone.
Travelex's customer-facing systems in the UK were disrupted for roughly two weeks, with internal recovery beginning within about six days. The company took all systems offline on 31 December 2019, began restoring internal systems in the week of 6 January 2020, and brought the first UK customer-facing systems back online around 17 January 2020. It then restored services in phases, prioritising the UK, and reported that systems across the UK, Europe, North America, the Middle East, Turkey, Australia, Asia and New Zealand had been restored by 24 February 2020.
Because many banks and retailers relied on Travelex for foreign-exchange services, the outage rippled well beyond Travelex itself. UK banks and partners including Barclays, HSBC, Royal Bank of Scotland, Virgin Money, Tesco, First Direct and Sainsbury's were reportedly unable to offer currency-exchange services while Travelex's systems were offline. Customers were left unable to access travel money - some stranded abroad or queuing at airports - illustrating how a single supplier's outage can disrupt an entire ecosystem.
The Metropolitan Police's cyber crime unit was contacted on 2 January 2020 and opened an investigation, and on 8 January 2020 the National Cyber Security Centre (NCSC) and the Financial Conduct Authority (FCA) looked into the incident. According to news reports, the Information Commissioner's Office (ICO) said it was not notified within the 72-hour window required for personal-data breaches, raising the prospect that Travelex could be asked to explain the delay and potentially face a fine. No regulatory penalty had been confirmed at the time of reporting.
The Travelex incident is a textbook example of how a known, unpatched vulnerability can escalate into a business-critical ransomware crisis. The key lessons are that timely patching and vulnerability management are essential - the Pulse Secure VPN flaw had been public and patched months earlier; that breach-notification obligations (such as the ICO's 72-hour rule) must be built into incident response; that third-party and supplier dependencies can spread impact across an entire sector; and that resilient, tested backups, rehearsed crisis plans and honest, timely customer communication are vital. Cyber Management Alliance helps organisations build these capabilities through training, cyber crisis tabletop exercises and incident response planning.
We offer a host of courses including our NCSC Assured Training in Cyber Incident Planning and Response and our NCSC Assured Training in Building and Optimising Incident Response Playbooks.
Hands On, full-support 'Security As a Service', specifically designed for organisations that require access to experienced cybersecurity, governance, risk and compliance professionals.
A unique, affordable, subscription-based, cybersecurity service for small to medium businesses, offering 280+ services in cybersecurity.
Scenario-based, verbally-simulated tabletop attack exercises that test your organisation's ability to effectively respond to a cyber-attack.