Oops
Still waiting for Travelex to fess up to loss of personal data…but I guess they won’t be able to do that until they can decrypt their encrypted data ! 
I sense a potentially huge lawsuit coming…
I’ve zero sympathy for sloppy security. Also the idea that the data will be erased if the ransom is paid is risible. Unstolen?
1 Like
Yes, I read The Register report on this in which it mentions that Travelex were informed by a security researcher of the probable vulnerability used (some security hole in a VPN transport system) in 9 of their internet facing servers, before the attack happened, and yet did not patch the servers in question. Oh dear indeed…
All this “security stuff” seems like unnecessary overhead until… bang, you’re done.
The article in *The Register * suggests that the data was possibly both stolen and encrypted on Trevelex’s systems.
The correct response to the latter is “piss off we have backups”
The former is more of a problem. To a point I share John’s scepticism that the data would be safe from sale on the black market if a ransom were paid - but, then, if thieves did not generally honour “pay up or the data gets it” people would realise there was no point to doing so and kidnaps (of whatever sort) would not work.
It is possible my own details are in the haul - I’ve bought currency from them for delivery, though the last time I did so was 2014.
The fact that the breach was due to widely known security flaws with patches available puts Travelex - and Pulse Secure VPN in a very bad light (the former should have patched the system, the latter more pro-active about making sure clients did so).
1 Like
Seems like poetic justice for a company that is in the business of ripping off travellers…
2 Likes