11 Jan 2020

Travelex cyber attack: New Zealand customers not affected - retail banks

6:50 am on 11 January 2020

New Zealand banks say a ransomware cyber attack that shut down a major foreign currency exchange retailer will not affect their customers, but a technology expert here says similar attacks are increasing.

Hacker, cyber attack, (File photo)

London-based foreign currency exchange retailer Travelex is being held to ransom by hackers. Photo: 123RF

London-based Travelex shut down all online systems on 31 December when a virus was discovered and isolated. The company's websites remain offline.

Travelex said the hackers encrypted some of the data that was accessed and the company is still investigating what information has been affected. The company said it doesn't believe any data has been exported.

Travelex's New Zealand branches are providing services manually offline.

Many large banks and businesses use Travelex to provide services. At least three major UK banks have now stopped customers ordering foreign currency - Lloyds, Barclays and the Royal Bank of Scotland. UK supermarkets Tesco and Sainsbury's have also reported problems.

ANZ, Westpac and ASB all told RNZ there is no disruption to their customers. An ASB spokeswoman said Travelex does not hold data on any of its customers, and a Westpac spokesman said it is working with Travelex.

Air New Zealand said their OneSmart travel card does not use any affected Travelex services, but would not confirm if Travelex is a service provider. BNZ and Kiwibank did not respond.

The BBC reported the hackers have demanded more than $NZ9 million for the release of the data.

New Zealand-based technology commentator Paul Brislen said ransomeware attacks were increasing globally, as well as here.

"What tends to happen is somebody's opened a link or clicked on something in an email or on a website, probably quite innocently - and that's triggered an application, that encrypts your information, and won't let you access it unless you have the key. And of course in order to get the key you have to pay lots and lots of money to some nefarious outfit.

"It's a very difficult situation when they do get hit by this, because their intellectual property is usually what makes them money. And if they haven't got back-ups, if they haven't got a robust process for duplicating all their data you can find yourself in a very difficult situation where somebody's locked away the crown jewels for your business, and that can be very difficult."

Brislen said its a warning to all companies using the internet, that they need to be prepared for cyber attacks.

"If you haven't been paying attention to your cybersecurity needs it can be quite difficult to recover, and that can happen regardless of size. The trick is to make sure that if anybody does lock up a big chunk of your data that you've got a big back-up somewhere - or better still, you're always saving your data to multiple locations.

"Never pay these guys when they do attack, because you just don't know what else they've added to your data - you might get all your files back and a little bit extra that means you've got to do it all again in a year's time. You just don't know what there is in there, so it's better to make sure you've got an alternative source of your data."

Brislen said even if data was not exported, the attack is a major problem for Travelex.

"A lot of these businesses, particularly around currency, are really built on trust, and I'm not sure anybody's going to trust them with their credit card details or bank account numbers in the future".

Small New Zealand companies are often not prepared for such attacks, and rely on "obscurity as a form of security", he said.

"But that really doesn't work, because nobody's actually targeting these victims, they're just swept up in the attack, and size doesn't matter.

"The real question to be asking is 'what have I done to ensure that if I am attacked I don't have to pay these people any money to get my data back?'"

Massey University banking professor David Tripe said customers could be feeling vulnerable that there could be difficulties accessing their money, and it can be challenging understanding whether a travel card is connected to Travelex.

He said it raises questions about services offered in the banking industry by players who aren't banks, and may not be bound by the same rigourous rules.

"If you've got a card loaded up with foreign currency, some of those are run by Travelex. Some organisations rely on them to run their international travel cards.

"They do run a foreign exchange retail trading service, and they do international transactions on behalf of corporations and individuals. There is a range of alternative providers, but it does mean potentially people who are replying on them for service, could potentially not be able to use them."

Tripe said he chose not to use Air New Zealand's OneSmart travel card because of alarm bells when he saw Travelex mentioned in the fine print of the terms and conditions.

Travelex said the UK National Crime Agency and police are each investigating the attack.