Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Businesses

Foreign Exchange Company Travelex Being Held To Ransom By Hackers (bbc.com) 64

Hackers are holding foreign exchange company Travelex to ransom after a cyber-attack forced the firm to turn off all computer systems and resort to using pen and paper. From a report: On New Year's Eve, hackers launched their attack on the Travelex network. As a result, the company took down its websites across 30 countries to contain "the virus and protect data." A ransomware gang called Sodinokibi has told the BBC it is behind the hack and wants Travelex to pay $6 million. The gang, also known as REvil, claims to have gained access to the company's computer network six months ago and to have downloaded 5GB of sensitive customer data. Dates of birth, credit card information and national insurance numbers are all in their possession, they say. The hackers said: "In the case of payment, we will delete and will not use that [data]base and restore them the entire network. "The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base."
This discussion has been archived. No new comments can be posted.

Foreign Exchange Company Travelex Being Held To Ransom By Hackers

Comments Filter:
  • Not too big to fail. (Score:4, Interesting)

    by thegarbz ( 1787294 ) on Wednesday January 08, 2020 @12:26PM (#59599570)

    Only 6500 employees and less than $1bn market cap. These guys are not too big to fail. If the hackers don't sink them then the regulator should for failing to take security precautions while handling other people's money.

    • 6500 people lose their livelihoods because of the incompetence of a couple, or even a single, IT person. That's really sad.
      • Sad yes, but not too big to fail. 6500 people punished to prove to corporations that profit is not everything may be acceptable. 65000 people and suddenly you're too big to fail and if you prioritise profits over ethics and compliance your local government will have your back.

      • A whole car lost it's ability to move under it's own power because of the failure of a single intake valve.

        With complex machinery (and corporations), it only takes one small thing to go wrong and the whole house of cards comes tumbling down. Almost every major company downfall has been caused by less than 1% of the staff doing something either incompetently, unethically, or downright illegal. Travelex won't be the last
      • by skaag ( 206358 )

        It's NOT a single IT person, Ever. It is ALWAYS the CEO's fault, period.

        The CEO allowed their IT teams to choose Windows based systems, the CEO did not take security seriously, and the CEO may not have allocated a budget for proper security audits, education, maintenance, etc.

        The CEO basically failed to understand their company exists in the year 2019 (now 2020), a time in which the internet is a wild west and hacks are not a question of IF, but a question of WHEN.

        • Everything you offered is based on very high-level assumption. You're assuming every one of those actions. What we do know for fact is that the IT department is the one responsible for securing their machines and network and they failed to do that. They could have been fully funded or not. It doesn't matter. They're the only one we're sure failed to do their job here.
    • by AmiMoJo ( 196126 )

      Does anyone have a GDPR contact address for them?

      I've been working my way through companies getting my data deleted but unfortunately have not got to T yet.

      Now I'm going to give them the full Monty. Request all data, all polices, details of their secure storage systems, details of the breech etc.

  • NONE of this shit happened before BitCoin and other Cryptocurrencies created to facilitate stuff like Silk Road transactions.

    Itâ(TM)s high time (pun intended) for the outright outlawing of Cryptocurrencies.

    Eliminate the ability to hide the money trail and let Interpol handle the rest. Ransomware will be a bad memory within months.

    • No. Bitcoin serves a purpose. Tracking everyone you conduct transactions with is both insecure and leads to authoritarianism. These asshats didn't protect their network, and now they are paying for it. I have worked in the IT industry and talking about security typically leads to eye rolls as business execs used to translate "security" to "get us to pay for something that can drive us additional value, but I can't say I don't want to do it".

      It is not trivial to protect yourself. Just have an isolated ver
      • No. Bitcoin serves a purpose.

        You cleverly omitted the two real purposes: anonymity and gambling on its price.

      • by NoMoreACs ( 6161580 ) on Wednesday January 08, 2020 @12:48PM (#59599666)

        No. Bitcoin serves a purpose. Tracking everyone you conduct transactions with is both insecure and leads to authoritarianism.

        Bullshit.

        Authoritarianism will never live or die on the backs of Cryptocurrency.

        Sorry, the known bad far outweighs the possible good for this abomination.

        And being the employee of a small Mom and Pop company that was recently extorted by the RYUK group, even having daily backups like we did was of little help, and the measures you suggest are far outside the capabilities of a small company with no dedicated IT staff.

        • by twocows ( 1216842 ) on Wednesday January 08, 2020 @01:37PM (#59599864)

          Authoritarianism will never live or die on the backs of Cryptocurrency.

          On what grounds do you base that claim? I won't narrow this to cryptocurrency in particular, but some method of having anonymous transactions (e.g. cash) is extremely important to resisting oppressive governments. China, for instance, is able to trace almost every transaction made in its borders using their pervasive e-pay systems. Do you think the protesters in Hong Kong would be able to effectively resist the Chinese government's actions if the Chinese government could track all their payments? How do you propose they secure funding for things like buying enough food and water to survive in that situation? If the Chinese government can track their transactions, they can figure out who they are and what they're doing. They can get them fired from their job and make sure they can't get payments from outsiders who may support their cause.

          • On what grounds do you base that claim? I won't narrow this to cryptocurrency in particular, but some method of having anonymous transactions (e.g. cash) is extremely important to resisting oppressive governments.

            I absolutely agree with you, and if a government outlaws CASH transactions, then Iâ(TM)ll be the first to Sound the warning!

            But this PARTICULAR form of anonymous transaction seems to be overwhelmingly used for Ransomware transactions, and quite frankly, is tantamount to a National Security threat, no fooling!

            So, as long as cash is available in one form or another, and because direct barter cannot be outlawed in any meaningful way, the âoebecause totalitarianismâ argument for Cryptocurrency go

            • The thing is, both forms of currency can be outlawed e.g. by the Chinese government, but it's a lot more difficult to stop the use of an electronic currency.

              I would not be surprised if in the coming years China restricts its official currency in certain types of transactions. The pervasiveness of their e-pay solution would make this entirely feasible in the mainland.
              • The thing is, both forms of currency can be outlawed e.g. by the Chinese government, but it's a lot more difficult to stop the use of an electronic currency.

                Bullshit.

                Anytime your "Currency" is based on an electronic transaction, it becomes trivial to stop.

                What is impossible to stop is two people exchanging something in person. Cash or Barter (essentially the same thing, but especially Barter) requires no technological trappings whatsoever, and even if a country outlaws the use of its own Currency, it cannot exist in the world market without allowing other country's currency to circulate and be exchanged. And once there is cash or barter in one link of the chain

          • On what grounds do you base that claim? I won't narrow this to cryptocurrency in particular

            Isn't that kind of saying you will move the goalposts while the GP is taking his kick? But anyway your argument itself isn't on much better ground.

            Do you think the protesters in Hong Kong would be able to effectively resist the Chinese government's actions if the Chinese government could track all their payments?

            You know what we haven't seen the Hong Kong protesters do? Take up cryptocurrency in any primary transaction form. That one example effectively kills your entire argument against the GP's assertion that cryptocurrency won't make or break authoritarianism. Any why would it? Authoritarianism existed before cryptocurrency, it continues to exist now, and while it exi

        • Why were the daily backups little help? That's usually the golden ticket out of ransom jail... most people who get bit that I hear about are the ones who didn't have that. What else were they doing to you?
          • Why were the daily backups little help? That's usually the golden ticket out of ransom jail... most people who get bit that I hear about are the ones who didn't have that. What else were they doing to you?

            Because a Server reassignment about 6 months ago meant that some critical data that was being dilgently backed-up daily suddenly stopped being backed-up.

            Yes, our bad, call us idiots; but as I said, something that is all-too-easy to have happen in a small company with no dedicated IT.

            But fortunately, a whole lot of our data was still being diligently backed-up. So we are still going to be able to avoid paying the criminals.

            However, even though the Data was backed-up, the possibility of Restoring still-infect

            • If you had had full backups of the critical data, would you have been in the clear faster? I know of a couple companies that rolled their entire small business back a week, in its entirety. Not feasible for a large corp, but if *everything* is backed up nightly, it seems to work (assuming the criminals got in through some sort of password leak or someone clicking on a bad link and not because of a fundamental security flaw in the server).
      • by jellomizer ( 103300 ) on Wednesday January 08, 2020 @12:51PM (#59599682)

        Using Anarchy to Combat Authoritarianism doesn't solve anything. These are ideals not electrical charges. They won't just cancel themselves out.

        While we should always be improving system security. We also need to be sure that criminals who abuse the system, are found and punished justly.

        System security is game that you need to keep on playing. Just after you isolate your versioned backups, and have two-factor authentication. There will be a hole perhaps in your backups that will allow those to seem to be corrupted, and some back door that wasn't blocked with two factor authentication. You always need to assume you are vulnerable, past success doesn't guarantee future results.

      • by Sarten-X ( 1102295 ) on Wednesday January 08, 2020 @12:56PM (#59599712) Homepage

        Tracking everyone you conduct transactions with is both insecure and leads to authoritarianism.

        Ironically enough, that's exactly what BitCoin's public ledger does. It just moves the identification problem from being in the record to needing external mapping, but that's what authoritarian regimes do best.

        These asshats didn't protect their network...

        This is not a company problem. This is an industry problem. For decades, "IT guys" have sold security solutions as something to be bolted on to an existing system.

        Just have an isolated versioning backup system that is disconnected from the administrative network of your core IT, and do that AFTER you have patched your network, enabled two-factor, changed defaults, removed local admin privileges from normal users, and subscribed to a professional SPAM service.

        ...and none of that will have any significant impact on a corporate threat model, but it'll cost a lot and make your CTO look like they've been really busy. Buying that much consultant time will make your company look exciting, too, but it won't protect your data.

        Security is a process of ongoing improvement. It requires having an IT team that works with the rest of the business and learns what the business needs to get the job done. IT should then make changes in the order of least impact to the business. If users need to use USB drives to move data, order company-provided encrypted ones. If users need administrator access to their computers, start rolling out access restrictions so their elevated access is limited to their own machine.

        As more small changes happen, more user problems will surface. That's when products are purchased - not to restrict the business, but to enable using capabilities securely. Above all else, remember it is almost never the user's fault if something goes wrong. If some piece of information technology doesn't work, it's the IT department's problem. Usually, it's because the IT guys didn't understand the business needs, or didn't provide adequate training or intuitive systems. Users will always do what's easiest to meet their goals. It's your job to make sure the easiest path is the right one.

      • No. Bitcoin serves a purpose.

        Mainly, enabling various fancy new kinds of crime. Ransomware is bringing down not just a few asshats who don't protect their networks, but entire governments and hospital systems. All it takes is a single employee clicking on an email link that looks legitimate.

        I predict a return of one traditional form of crime, kidnapping individuals for ransom. This has become obsolete in modern countries because in a surveillance society it is impossible to arrange a secure money drop. Crypto makes anonymous money drop

        • You probably attack cryptocurrency at the exchange level where its turned into real currency.

          I'm sure there's somebody who claims they can do all their financial transactions in bitcoin, but really it needs to be converted into real currency to be truly useful as money.

          Obviously there will always be "black market" exchangers, but this will raise the price of converting it to real money and still alter behavior.

    • by DesScorp ( 410532 ) on Wednesday January 08, 2020 @12:43PM (#59599640) Journal

      NONE of this shit happened before BitCoin and other Cryptocurrencies created to facilitate stuff like Silk Road transactions.

      Itâ(TM)s high time (pun intended) for the outright outlawing of Cryptocurrencies.

      Eliminate the ability to hide the money trail and let Interpol handle the rest. Ransomware will be a bad memory within months.

      I've long thought that governments would eventually ban cryptocurrencies, and that their stated reason would be something along the lines of "Criminals and Terrorists use it". The irony is that I thought this would be a bullshit excuse, and that they'd ban in reality because they didn't want the competition with their central banks and treasuries. I never thought that the criminals would come along and actually prove governments right. But that's where we are. Pretty soon, there will be popular support for banning crypto.

      If/When Bitcoin dies, we can thank a bunch of Russian/Ukrainian E-crooks. Once again, a good computer idea... email, FTP, newsgroups, crypto... is ruined because a bunch of scumbags took advantage of the rest of us.

    • NONE of this shit happened before BitCoin and other Cryptocurrencies created to facilitate stuff like Silk Road transactions.

      Itâ(TM)s high time (pun intended) for the outright outlawing of Cryptocurrencies.

      Eliminate the ability to hide the money trail and let Interpol handle the rest. Ransomware will be a bad memory within months.

      I agree with this. While some talk up other features and advantages of crypto, the real attraction is anonymity.

      I'm with you: Dry up the untraceable payment system. Malicious attacks would continue, but having no value to the hackers would be a deterrent.

    • Highway robbery didn't exist before there were highways. Therefor we have to outlaw highways.
    • Eliminate the ability to hide the money trail and let Interpol handle the rest.

      And what happens when Interpol and agencies like it become tools of an authoritarian regime? Having the ability to hide the source of a transaction is as important to criminals as it is to, for instance, citizens engaged in resistance against a tyrannical authoritarian regime. And while it's unfortunate that criminals benefit, it's far more important that people have access to tools to fight oppressive governments.

      Criminal or

      • Criminal organizations are certainly very dangerous, but their reach tends to be limited and the law usually allows people to fight back.

        Really?

        Reach tends to be limited? True, they so far canâ(TM)t reach businesses on other planets, or without internet access. Other than that, though...

        Law usually allows people to fight back?â(TM) Please explain how those laws can be applied in a practical sense, when the criminals are half a planet-away in a country with no extradition treaty with the U.S.?

        You make a lot of sense (sarcasm).

        • by twocows ( 1216842 ) on Wednesday January 08, 2020 @02:16PM (#59600030)
          How much of the non-business population do you think is affected by ransomware? I would wager it's a very small part. Ransomware overwhelmingly targets businesses, and while that's still a major problem, it's not the kind of existential threat to personal liberty that a corrupt government represents. The nature of the threat is very different, and while it's still severe, it's much less severe.

          When I talk about fighting back against criminals, I mean that both people and governments usually have a vested interest in fighting them. This means governments and citizens can work together to try and bring down criminals. When the law enforcement apparatus is itself corrupt, however, the people being wronged are deprived of the means to fight back. Try to fight a tyrannical government and you become the criminal, basically by definition. That's what I'm trying to get at.
    • Actually, shit like this did happen before cryptocurrencies, and continues to happen.

      Example: An elderly couple falls for a telephone scam and is tricked into wiring money into some scammer's bank account. The scammer transfers the funds into some "offshore" bank. Speak to law enforcement or the victim's bank and there is no talk of recovering the money. They all act as though funds transferred to a foreign bank are irretrievably lost. There is no technical reason for this. Funds are transferred electronica

      • Actually, shit like this did happen before cryptocurrencies, and continues to happen.
        Example: An elderly couple falls for a telephone scam and is tricked into wiring money into some scammer's bank account.

        Ransomware didnâ(TM)t exist before Cryptocurrency.

        Prove me wrong; I dare you.

        • 5 seconds of Googling would have shown you that ransomware goes back as far as 1989 [wikipedia.org].
          • 5 seconds of Googling would have shown you that ransomware goes back as far as 1989 [wikipedia.org].

            Ok, but those were pretty lame attempts. And quite few and far-between.

            As your own source states:

            Encrypting ransomware returned to prominence in late 2013 with the propagation of CryptoLocker—using the Bitcoin digital currency platform to collect ransom money. In December 2013, ZDNet estimated based on Bitcoin transaction information that between 15 October and 18 December, the operators of CryptoLocker had procured about US$27 million from infected users.[35]

            So, maybe the idea was there; but the trul

    • by skaag ( 206358 )

      Comments like yours are sad. The majority of crime around the world happen over the Euro, the Chinese RMB, and the US Dollar. The rest happens using Gold, Diamonds, and Oil. Only a very tiny fraction of crime committed happens using Crypto.

      Also, be glad that those guys at least didn't wipe Travelex's network and just sold the database, they could have! And Travelex certainly deserves it. They deserve to die regardless, for being criminally incompetent. Travelex should pay up and shut up, and then they shoul

  • So even if they restore from backup, they are still on the hook if they don't want the database leaked. Even so, there is no guarantee the hackers will honor their statement and delete their copy.

    • There isn't even a guarantee these hackers will be any more capable of protecting their copy from theft by other hackers.

  • by account_deleted ( 4530225 ) on Wednesday January 08, 2020 @12:40PM (#59599624)
    Comment removed based on user account deletion
    • "we paid crooks to give us your data back" is corporate suicide.

      Oh, but the victim won't pay the crooks. Companies who don't want to have a PR disaster publicly say "we won't pay", then go hire a ransomware recovery firm for 11% of the ransom, and that firm turns around and pays the ransom. The company keeps their hands clean, and just says "our partnership was successfully able to restore operations".

      Of course, the crooks still got paid, so they properly delete their extortion database, and everybody comes out looking good. If they were to release the database anyway,

      • hire a ransomware recovery firm for 11% of the ransom

        Tough business model those recovery firms have.

        • Hah! Foiled by my poor typing skills and lack of proofreading... That should have been 115%, of course...

        • by BranMan ( 29917 )

          I'm sure he meant to write 110%, but I agree - unless they are really good hagglers!

        • don't be too surprised to find out some of these "security recovery firms" have nice cozy relationships with these malware producers... they sell the idea that they are recovering your data with their special expertise... but all they are doing is keeping the list of contacts at each botnet and agreeing on a prepaid 30% of what they are asking their "clients" for... then they just charge the client "double" that and say it was the costs of decrypting the keys..... it is a scam market now.
      • Travelex are not the victims. They will carry on regardless collecting information they should never have retained and "bravely" not pay a dime. Their customers are the victims (even before the this heist) and they will get no redress.
        • Travelex are not the victims. They will carry on regardless collecting information they should never have retained and "bravely" not pay a dime. Their customers are the victims (even before the this heist) and they will get no redress.

          So, how is that an argument for continuing to allow Ransomware to flourish?

      • by Agripa ( 139780 )

        then go hire a ransomware recovery firm for 11% of the ransom

        Invest 10% of the ransom whether payed or not into a no questions asked bounty.

    • It is not just the system, if it is true that the ransomers actually do have 5 GB there is the issue of what happens if they start releasing that to competitors or even the clients or do a data dump to the Internet.
    • I always liked the movie ransom... it would be messed up if every company taken by ransomware decided to place the ransom amount as a bounty instead.

  • No, not taking down companies as such. It would be nice if all contributions to political parties and pols could be with a public ledger. I won't cure the greedy, they'll find a way. But it might help staunch the flood a bit.

    • OpenSecrets (https://www.opensecrets.org) should have donations to parties and pols, type a name into the search box. What it won't have is Super PAC money (thanks SCOTUS!), corporation are allowed to give unlimited money to groups that aren't candidates in order to influence the election.

  • This is just more M$ tax. If you run Windows, it's Russian roulette if you get held to ransom. Best advice, rock with something that has mandatory access controls, like SELinux or TrustedBSD.

  • This was posted about a week ago. How has Slashdot only got this now ?

To be awake is to be alive. -- Henry David Thoreau, in "Walden"

Working...