Travelex — Sodinokibi ransomware

On New Year’s Eve 2019 Travelex took its websites and customer-facing currency-exchange systems offline, citing a “software virus” that had been detected in its network. The intrusion was a Sodinokibi (REvil) ransomware deployment that encrypted servers across Travelex’s global estate, forcing the company to revert to manual paper-based processes in branches and at airport kiosks while payment processors disconnected from its corporate banking systems. Customers who had pre-ordered foreign currency for new year travel found themselves unable to complete transactions; partner banks including HSBC, Barclays, Sainsbury’s Bank, Tesco Bank, Royal Bank of Scotland and Virgin Money — for whom Travelex provided white-labelled FX services — also had to suspend their currency-exchange offerings.

The technical entry point was widely reported to have been an unpatched Pulse Secure VPN appliance vulnerable to CVE-2019-11510, a critical flaw that had been publicly disclosed and patched in April 2019. Travelex had not applied the patch in the eight months between disclosure and intrusion. CVE-2019-11510 was being actively exploited in the wild from August 2019 onwards by multiple groups, ransomware operators included; the same flaw was implicated in the Travelex compromise, the contemporaneous Pulse Secure-related breaches at multiple US local-government entities, and several other 2019-20 ransomware incidents.

Sodinokibi initially demanded $6 million for the decryption key. The Wall Street Journal subsequently reported that Travelex paid approximately $2.3 million in Bitcoin to obtain the decryptor — a figure the company never officially confirmed. Recovery took several weeks; the website returned in stages from mid-January, and full operational restoration extended into the second quarter of 2020. The Information Commissioner’s Office in the UK opened an investigation under the Data Protection Act and GDPR; Travelex initially indicated no customer data had been exfiltrated, then later acknowledged that data had been taken.

In August 2020, Travelex’s parent company Finablr — already under separate scrutiny for accounting irregularities unrelated to the cyber-attack — entered administration in the UK with the cyber-attack cited as a contributing factor. The company was rescued by its lenders, but the rescue involved closing 1,300 stores worldwide and cutting 1,300 jobs in the UK alone. Travelex now operates at a fraction of its pre-attack scale.

Defender takeaway: this is the textbook case for “patch the perimeter VPN within days, not months”. CVE-2019-11510 was a pre-authentication file-read vulnerability in an internet-facing edge device that any defender could see being exploited in the wild long before December 2019. The patch had been available for eight months. The deeper lesson is operational continuity: Travelex’s reliance on a single integrated IT estate to run both retail FX and white-label partner services meant the ransomware shut down not just Travelex’s own customer experience but every partner bank’s currency-exchange offering on the busiest holiday weekend of the year. Segmentation between the partner-services environment and the retail environment, plus an offline-first manual fallback for branch operations that did not depend on synchronised central rate data, would not have prevented the ransomware but would have contained the operational damage. The financial outcome — administration, mass redundancies, store closures — is a reminder that ransomware impact is not measured in ransom paid but in revenue forgone during recovery.