Travelex – A Case for Oversight

On December 30^th Travelex succumbed to a ransomware attack that has kept operations offline for weeks, costing millions in damage. The hackers used a relatively new vulnerability in Pulse Secure VPN to infiltrate the Travelex network – the very same vulnerability that Oversight (Monitoring Service) had reported to its affected client’s months earlier.

Thanks to Oversight’s short response time all our affected clients had been notified of the Pulse Secure VPN vulnerability within 24 hours of us detecting it. Details of every affected host were provided, along with our recommendation to immediately take each of them offline to apply patches. We made the severity of the threat clear, saying that it essentially bypassed any security measures they may have in place and that it left their network wide open to attackers. Our clients were able to act immediately with this alert, taking their hosts offline and applying relevant patches.

Travelex had reportedly patched the Pulse Secure vulnerability in November, months after we had reported it to our clients. This was curiously also over a month before the ransomware was activated. Activation of ransomware is often delayed as intelligent attackers will wait for an ideal opportunity to act in order to maximise the impact of their attack. Holiday periods are particularly prone as organisations are reduced to skeleton crews just to keep the wheels turning. The hackers claimed to have extracted at least 5GB of client data from the point of compromise, and it seems that Travelex had no idea this was happening until the ransomware struck. This may make them subject to a fine from the ICO with a maximum of 4% of their annual turnover.

The underlying threat was never the ransomware, but the vulnerability that allowed for hackers to infiltrate the network. Because of this it is important that organisations react quickly to these types of critical vulnerabilities which paint them as a target to hackers, something that Travelex failed to do.

Oversight customers had little to worry about however, as our technology was monitoring their externally facing infrastructure around the clock. If Travelex were enrolled to Oversight, then we would have detected the presence of vulnerable Pulse Secure VPN software running on their hosts. This would have prompted us to contact them with useful advice on what to do, how to do it, and details on the urgency of their situation. This quick turnaround would have massively reduced the timeframe for hackers to discover and compromise Travelex’s systems, which would have ultimately prevented the entire attack which has them held at a $6m ransom.