Travelex 'negotiating' with Sodinokibi ransomware group threatening to release or sell personal data

Travelex reportedly negotiating $6m ransom as group threaten to release personal data Travelex claims hasn't been compromised…..

Travelex's systems remain down today as the company reportedly negotiates with the Sodinokibi ransomware group behind the attack. The group is threatening to release personal data that Travelex continues to insist hasn't been compromised.

That's according to BleepingComputer, which claims to have communicated with the group responsible.

If no data had been downloaded prior to encryption, they said, "they [Travelex] would not bargain with us now. On the other hand, we do not care. We will still benefit if they do not pay. Just the damage to them will be more serious".

The group had originally demanded $3 million but have reportedly upped the asking price to $6 million.

A ‘data breach' does not necessarily just mean a loss of data, but it can also include data not being available

The group behind the ransomware typically exfiltrate data before commencing encryption in order to gain leverage over their targeted organisations. In online hacker forums - inevitably in Russia - a representative of the group indicated that they could sell the data to other attackers.

Travelex took its systems down on 31^st December in response to what it claimed at the time was a virus, but which was widely speculated to be ransomware.

Earlier this week, the company finally admitted that it had been hit by ransomware, while the Metropolitan Police as good as admitted that it had been called-in by Travelex on 2^nd January. However, the company failed to notify the Information Commissioner's Office (ICO) within the 72 hour deadline of a compromise of personal data.

IT teams often have the attitude that if they see a security breach or problem, they are obliged to offer an immediate solution

Travelex has maintained that it has no evidence that personal data has been compromised, although Jonathan Armstrong, a technology lawyer with law firm Cordery, pointed out in an interview with Computing that compromised data doesn't necessarily have to be downloaded or stolen to count as a data breach under GDPR, and therefore reportable to the ICO.

"The European Data Protection Board (EDPB) has been very clear that a ‘data breach' does not necessarily just mean a loss of data, but it can also include data not being available. For example, the WannaCry virus that affected the NHS. Too many people don't understand that ransomware can be classified as a data breach," Armstrong told Computing.

He warned that the ICO would almost certainly take a dim view of Travelex's response to the ransomware attack when it investigates.

"Another issue is understanding when and what you need to report. IT teams often have the attitude that if they see a security breach or problem, they are obliged to offer an immediate solution. They can be conditioned to feeling they have to report the problem and the solution and so they will delay reporting until they've found a fix.

"Businesses need to understand that they need to report a problem, and can't wait until they also have the solution."

All Computing's coverage of the Travelex ransomware outbreak:

• Travelex refuses to comment on whether it paid ransom to get its data back
• Travelex claims it is 'making good progress' in recovery from Sodinokibi ransomware attack
• Travelex 'negotiating' with Sodinokibi ransomware group threatening to release or sell personal data
• ICO: Travelex hasn't reported a data breach
• Metropolitan Police called-in last week as Travelex FINALLY admits Sodinokibi ransomware attack
• Cyber criminals demand $3 million in ransom from Travelex after infecting its network with Sodinokibi ransomware
• Travelex ignored September warning over 'insecure' VPN server software
• Travelex takes down currency exchange website following New Year's Eve cyber attack