
Travelex being held to ransom by hackers - sjcsjc
https://www.bbc.co.uk/news/business-51017852
======
LinuxBender
This is probably a good reminder for everyone to ask how their customer data
is backed up. Obvious your code is checked in to many git repos. Is your
customer data on a server that automation can tamper with? If so, is a copy
periodically written to a write-only destination that only a small number of
people can manage, and then backed up to another location that a different
group of people can manage? It probably also would not hurt to have a signed
copy of a manifest that has checksums of all the files.

~~~
Scoundreller
And a good reminder to get cash for your destination country before you get
there where possible.

The hole in the wall forex place near me has wayyyyyy better rates than an
airport’s currency desk.

Practically anyone does.

~~~
teagoat
I've found that typically the easiest and very close to the cheapest way to
get foreign cash is to simply withdraw it from an ATM in the destination
country. Always make sure that they're charging your bank in the local
currency to avoid poor exchange rates. You'll usually pay a couple bucks at
the ATM and a couple more at your bank (unless you use somebody like Charles
Schwab), but even with a $5 surcharge, the market rate used usually beats out
the rate you can get at a money changer or from your bank before you travel.

~~~
akamia
That's been my experience as well. Using credit cards when possible and
withdrawing cash from ATMs are the two best ways to get a good exchange rate.

~~~
Scoundreller
And then there are the American banks that charge foreign transaction fees on
all foreign transactions, even those in US$.

Fuck you PNC.

~~~
akamia
Yeah. That's pretty frustrating. I always try to make sure that I have at
least one card that doesn't have foreign transaction fees and I stick to that
card I'm out of the country.

------
txcwpalpha
The Travelex website said it was down due to "planned maintenance". Is that
not an outright lie, since it was obviously down for other reasons? Is there
anything preventing a company from lying about something like this?

~~~
kjaftaedi
Travelex operates in Europe and is bound by GDPR regulations.

Travelex should have notified their supervisory authority within 72 hours of
the breach, and are also required to notify end users in a timely manner.

[https://gdpr-info.eu/art-34-gdpr/](https://gdpr-info.eu/art-34-gdpr/)

According to the article, end users still have not been notified.

The lack of timely and proper notification as well as the misleading website
information can be taken into account by the data protection authority in
determining if the company should be fined, and the fines in question can be
quite substantial.

~~~
jiveturkey
> Travelex operates in Europe and is bound by GDPR regulations.

To clarify, it's not that Travelex is _located_ in or _operates_ in Europe,
it's that they hold data of EU residents. If they operated in Zimbabwe yet
held data on EU residents, they would still be bound by GDPR.

~~~
deith
How could they enforce that? By barring EU residents from dealing with
Travelex?

~~~
jiveturkey
Well Travelex is a gigantic company, well-run (business-wise if not infosec-
wise :P) and would comply with any imposed fines etc.

But your question is interesting. Imagine an onion service, theoretically
perfectly shielded, that took Personal Data from it users and then sold it. Or
even a normal Internet service, based in North Korea. GDPR would be
unenforceable.

Ultimately we depend on the norms of international agreements, the desire and
need to interoperate with global banking systems, etc.

~~~
Jimw338
Maybe someone should organize a campaign to flood the European GDPR Regulators
with "our data _might_ have been compromised already or maybe in the future,
and _might_ have contained data on EU residents, that _might_ be considered
'sensitive' We are - (or will be) - working on it, but just wanted to let you
know _immediately_ so that you can't say we didn't warn you and slap us with a
ga( _)-illion dollar /euro fine.." (_) “Ga” subject to change at any moment
based on ECB forecasts, or how much we don’t like you.

All kinds of companies, from all over the world (eu or not) flooding the GDPR
headquarters in Brussels with "pre-emptory warnings". The purpose of course
being to let them know how ridiculous (and possibly/probably arbitrary) their
regulatory framework

And is anyone else annoyed that since GDPR started, _every single website_
that even so much as stores your username now has a "this website uses
cookies" thing you have to click on to get rid of it? And if you _turn off
cookies_ , you see this damn intrusive thing _every single time_. How is this
making the web "safer"?! Can "we" (whatever that means) petition them to enact
a standard where people can set a preference in their web browsers that says
"I don't care unless it's financial/medical/physical-address data" It's a
$#%$5# pain in the collective derriere.

I wouldn't be surprised if some websites are doing it as a matter of course,
"just in case" \- like the "this product contains things that are known to
cause cancer cause cancer to the state of California" \- applied to
_everything_ \- in a catalog that sells _drill bits_ (okay, I suppose the
couple of nano-grams of drill-bit-dust coming off it). Just to be safe (pun
unintended).

~~~
TheCoelacanth
> And is anyone else annoyed that since GDPR started, every single website
> that even so much as stores your username now has a "this website uses
> cookies" thing you have to click on to get rid of it? And if you turn off
> cookies, you see this damn intrusive thing every single time.

I am indeed very annoyed that so many companies are throwing an online tantrum
over the very reasonable requirements of GDPR. Most of those cookie banners
aren't even GDPR-compliant because they don't let you opt-out of tracking and
don't actually tell you what data they are tracking or who they are giving it
to.

Just tell people what you are actually fucking doing with their data and let
them opt-out of having their data collected. It's not that fucking hard.

------
Angostura
Most of the substantive reporting seems to point back to here:
[https://www.computerweekly.com/news/252476283/Cyber-
gangster...](https://www.computerweekly.com/news/252476283/Cyber-gangsters-
demand-payment-from-Travelex-after-Sodinokibi-attack)

------
raesene9
[https://www.bleepingcomputer.com/news/security/sodinokibi-
ra...](https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-
hits-travelex-demands-3-million/)

has information about this being specific ransomware.

One possible vector for the attack, from that article, is that apparently they
had an unsecured pulse Secure VPN which has a known and quite nasty
vulnerability, which is being actively exploited.

------
Scirra_Tom
Devastating for them I imagine. Website offline since 31st December,
purposefully timed attack for maximum disruption I would imagine.

Looks like they had aspiration to IPO earlier in 2019, imagine this would now
not be on the cards for a long time.

I wonder how much the ransom is for. It appears to be an enormously damaging
attack - I wonder if paying it is the best option for their business at this
stage, then follow the money.

~~~
rjmunro
The problem with paying it is that even if it works, and all the machines
decrypt in a timely fashion, you have no idea if the attackers have left
anything else in the network that they could use to enter again.

You might not even find out the original entry point, and stop others
following. Also it will be expensive.

~~~
zelon88
You still may never find the entry point if you don't recover the machines.
Saudi Aramco and Maersk fell victim to similar ransomware attacks and
practically had to start from scratch buying storage devices straight from
manufacturers to get back online. NotPetya was so destructive it didn't leave
behind much in the way of meaningful evidence. If you don't recover the
encrypted data you probably won't recover evidence that points to patient zero
anyway.

~~~
zerkten
Episodes 53 and 54 of
[https://darknetdiaries.com/episode/](https://darknetdiaries.com/episode/) are
a good listen on this subject.

------
mattlondon
Mini Ask HN: assuming you were designing a similar system, how would you
design to prevent this happening? What would make your system "immune" from
this sort of ransom attack so you could redeploy an be up and running again
quickly?

Sure there are the basic security hygiene steps etc, but what architectural
steps can you take to combat this risk?

I have some thoughts (e.g. append-only logs replicated in multiple places,
everything 12-factor'd and containerised and ready to re-deploy at a moment's
notice etc), but curious what prevailing wisdom is?

~~~
Kalium
It's perhaps worth discussing the possibility that append-only logs replicated
to multiple places may be likely to make the mishandling and theft of private
data more likely, rather than less.

The only real form of true immunity to private information theft is to have no
private information. It's impossible to lose what you do not have. Everything
else is layered controls and policies to detect, alarm, contain, deter, and
otherwise enable you to deal with attacks as they come. That's what good
defenses looks like for most companies - defense in depth.

In practice, it often looks like aggressive patching policies and
administrative controls coupled with careful monitoring, limited access to
production, and regular audits. Security is a whole-enterprise problem, rather
than a purely technical one that can be entirely addressed by code fixes.

~~~
rjmunro
Append-only logs replicated to multiple places is probably illegal under the
GDPR. People have the right to demand all data about them is deleted, e.g.
once they are no longer Travelex customers.

An interesting question is would you rather your bank leaked some personal
information about you, or would you rather they lost all your information, and
therefore all of your money?

~~~
Kalium
Travelex, as a financial services company, is probably obligated to retain
records. GDPR defers to these obligations.

A company outside finance might definitely have these problems!

~~~
TheCoelacanth
They're obligated to retain some information for a certain period of time, but
certainly not all information that they have and not forever.

~~~
Kalium
You're absolutely right.

In this case, it means that an append-only data store with a fixed retention
time might be a perfectly reasonable way to store certain kinds of records.
This means that an append-only data store is not guaranteed to run up against
deletion requirements in all cases.

In my opinion, this is particularly salient and worth being aware of when the
conversation centers around a financial company, data storage, GDPR, and
deletion requirements. It is possibly not always likely to be as simple as
"use append-only" or "append-only likely to be illegal".

------
ur-whale
I find it interesting that the article makes no mention of why the hack was
possible in the first place and how good or bad the security practices of
Travelex were.

Don't get me wrong, the criminals who conducted this should be tracked and
brought to justice, but - to use an analogy - if your bank kept your hard-
earned cash in a big pile next to the entrance door, wouldn't you feel a tad
unhappy with the bank if it got stolen?

And shoudldn't proper reporting paint a slightly more rounded picture of what
actually happened (as in: how easy was it for the hackers to circumvent
security measures at Travelex?)

------
nradov
We need to make paying ransoms to hackers illegal. If that results in the
victimized companies going bankrupt then that is an acceptable consequence
_pour encourager les autres_.

~~~
lallysingh
I think it has to come down to insurance-mandated security requirements.

------
fareesh
What are the odds that they've exposed the personal information of thousands
of airport travellers who have exchanged foreign currencies with them?

~~~
jiveturkey
Low in this case (read the CW article
[https://www.computerweekly.com/news/252476283/Cyber-
gangster...](https://www.computerweekly.com/news/252476283/Cyber-gangsters-
demand-payment-from-Travelex-after-Sodinokibi-attack)). The "ransom note"
seems generic and it implies they aren't sophisticated data thieves, just
disruptors.

That said, there has been news of late that these kinds of attacks are indeed
stepping up the value chain of stealing, selling, mining the data itself. But
I would tend to think not, in this case, as the ransom note would have been
much more severe.

------
jawns
There is a very interesting wrinkle to this attack that I haven't heard of
before, although I imagine this isn't the first attempt at it.

Unlike typical ransomware, the threat isn't "we will delete all this data,"
but "we will sell all this data, and you will amass crippling fines under the
GDPR regulations."

~~~
Deimorz
Yeah, this is a relatively recent evolution of ransomware schemes:
[https://krebsonsecurity.com/2019/12/ransomware-gangs-now-
out...](https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-
victim-businesses-that-dont-pay-up/)

------
rajacombinator
So the “camp out in airports and rip off naive travelers” company has bad
tech? Shocking.

~~~
joezydeco
That's a minor portion of their business, mostly to keep the name out there.
The current business is in large B2B F/X transactions - friends of mine worked
at a boutique firm in the midwest and both coasts (HIGHLY profitable) that was
acquired by them in the 2000s.

------
olliej
No they are not “weaponising GDPR”, they are simply making it more obvious
which companies aren’t protecting your data.

------
zrhswe
I have no sympathy for them. They've charged extortionate exchange rates to
travellers for decades, so now they get themselves extorted by hackers? Karmic
justice.

