Travelex won’t say if it has paid a ransom to its attackers

Graham Cluley @gcluley

Travelex won't say if it has paid a ransom to its attackers

Travelex, the foreign currency exchange service whose services have been knocked offline since New Year’s eve by a cyber attack, is declining to say if it has paid a ransom to the criminals responsible.

Earlier today the organisation published a customer update about its ongoing attempts to resume normal operations, which saw for the company’s CEO Tony D’Souza break cover for a video statement, and run through a series of customer FAQs.

Travelex ceo

Email Sign up to our newsletterSign up to Graham Cluley’s newsletter - "GCHQ"
Security news, advice, and tips.

In the update Travelex underlines the message it gave in a press release earlier in the week that it was making “good progress” although it has been widely criticised for its response to the attack. It also continues to warn customers to be on their guard for scammers contacting them via the phone or email.

Notably D’Souza attempts to reassure public concerns that their data may have been put at risk, but stating that Travelex has “not uncovered any evidence to suggest that any customer data has left the organisation”.

Of course, an absence of evidence is not evidence of absence. Data is different from the Mona Lisa. If someone steals the Mona Lisa, you notice the gap in the wall of The Louvre. It’s not as simple as that with data.

Travelex is declining to comment on how the REvil ransomware (also known as Sodinokibi) managed to infect its systems. I’ve also not seen them comment on media reports that the hackers responsible for the attack have demanded a $6 million ransom be paid for the safe return of what they claim is 5GB worth of sensitive data.

But the question I hoped Travelex’s CEO would answer was this: has Travelex paid any ransom demands?

ZDNet journalist Danny Palmer *did* ask that question, and I think Travelex’s answer (or rather lack of answer) might be telling:

Other organisations hit by ransomware haven’t been afraid to say that they will not pay the ransom. I wonder why Travelex doesn’t feel comfortable making a similar assertion?

If you have a secure backup, and if you have the systems in place to restore that backup in a safe, prompt fashion, then you shouldn’t need to ever consider paying the criminals behind a ransomware attack.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.