After launching a cyber-attack on foreign currency specialists Travelex a week ago, hackers are reportedly holding the firm to ransom, forcing them to take down all of its sites globally.
The cybercriminals managed to access computer systems on 31st December using the ransomware known as Sodinokibi. They are threatening to release 5GB of customer’s data unless the company pays $3m.
Data exposed includes dates of birth, card information and social security numbers.
“Unfortunate and unsettling”
“The fact that Travelex was compromised is unfortunate and slightly unsettling. It’s never good to hear that a large global financial business fell victim to a cyberattack. The technical details on the attack vector are thin, with some security experts suggesting that unpatched security products could have been the source of the initial breach,” Says Wicus Ross, Senior Researcher at SecureData.
“Vulnerability management is a crucial part of any business these days and priority should be given to updating technology that causes the most impact when compromised.” Ross adds.
By being offline for the past week, the breach has impacted on many big firms including Tesco Bank, Sainsbury’s Bank, Virgin Money and First Direct who are all unable to take online orders for foreign money exchange.
Ethical and moral impacts
Ross has criticized the lack of communication over the last week which has left both customers and businesses in the dark of how the situation is being handled.
The senior researcher also comments on the treatment of the situation and questions the ethical impact that paying the ransom may have. He says: “The larger more pressing matter is how Travelex decides to respond to the extortion demands. What is the moral and ethical impact if Travelex bends to the demands of the criminals? Even if the intention is to protect the affected clients, suppliers, and other stakeholders. By paying the ransom, does it really protect anyone? Perhaps in the short-term, but what is the societal and economic cost?”
Creating security debt
The point of security debt is also raised by Ross who says: “Security debt is a concept that speaks to the known or unknown acceptance of security problems introduced through flaws in technology choices, policy choices, management failures, or ignorance. Security debt is latent. If acknowledged early and addressed soon, it limits any negative impact thus the risks are managed proactively.”
Adding: “However, ignoring and accumulating security risks leads to an increase in security debt. This accrual of debt becomes a burden and must be paid when it becomes due. The debt is collected when a security incident happens, such as a data breach, because of some security weakness or flaw that has been exploited. Similar to most debt that goes unchecked, it can only be wiped clean through bankruptcy. Or, if lucky, can be made manageable through austerity. Someone will have to cough up be it consumers, employees, shareholders, the economy, or society.”