At the tail end of 2019, Travelex, one of the world’s largest retail currency dealers, had its systems hacked. The hackers demanded a US$6 million ransom, or they would go public with Travelex’s customers’ sensitive data, which included credit card information. Travelex was forced to take its services offline, and staff had to manually fulfil orders. The Police, the UK’s Financial Conduct Authority and the National Cyber Security Centre are on the case. Disruption was not confined to Travelex; supermarket chain Sainsbury’s and financial services website Virgin Money were also affected.
Worms, viruses, trojan horses, ransomware and malware are nothing new. In fact, hacking events have been known to have taken place even before the widespread use of computers. As far back as the 1970s, programmers had already created a computer “worm” which was more of a prank than anything else. There was nothing malicious about it (although it was annoying). At the end of the 1980s, more worms were created that were effective in slowing down the then-Internet. This was the beginning of Denial of Service attacks although again, it was not done to maliciously cause damage but to highlight security flaws.
The late 80s also saw the advent of the first ransomware attack, although it was relatively unsophisticated and propagated through the use of a floppy disk. This rather rudimentary ransomware was quickly mitigated through the writing of programs that unlocked the affected files. Fast forward 30 years, and the whole environment has changed. Hackers now have no compunctions about writing ransomware for fun and profit, and have very little regret about the damage they leave behind. In fact, some of them use it to camouflage subsequent visits to the system, gaining access even after security has been beefed up.
What is alarming about the Travelex incident is that the hackers had already successfully accessed its system six months prior to the December attack. The company has been quick to reassure its partners and customers that their data is still secure but with a presence in more than 20 countries and more than a thousand ATMs in operation, it is on shaky ground. The market, too, was quick to respond. Travelex’s parent company, Finablr, saw a fall in its share prices. Despite its best efforts, Travelex is taking a long time to recover, and stakeholder confidence in the company has been shaken.
Analysts have quickly weighed in, in the wake of the Travelex incident. Generally sympathetic to Travelex’s plight, they opine that the frequency and virulence of such incidents indicate that being hacked, especially for big companies, is a matter of when, not if. The best-case scenario would be one where disruption is minimal, and the company returns to business as usual in the shortest possible time. But for this to happen, several measures must be in place. Companies need to be proactive about looking for possible breach points in their systems. Having mitigative measures is good, but they need to be stress-tested to be effective.
Look at your existing IT infrastructure and identify weak points. Try to imagine worst-case scenarios, taking into consideration these vulnerabilities, and how much addressing them will cost, as opposed to bearing the cost of fallout and knock-on effects of hacking. Increase awareness of cybersecurity across the organisation. The more employees are aware of breaches, the more vigilant they are likely to be – and if they’re the ones doing the hacking, knowing that there is increased vigilance may deter them.
Also, don’t be embarrassed to announce you’ve been hacked; your partners and stakeholders are more likely to appreciate your honesty than your reticence. Besides, the more vocal you are about it, the more vigilant others will be about getting hacked – thus making it more difficult for hackers to break into other systems. Communication is key; the more you engage with stakeholders, and the more transparent your communication, the better you will be able to protect your brand and reputation.