Published Date: 2020-01-02
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident at Travelex happened around New Year's Eve [94366]. 2. The cyber-attack on Travelex occurred two weeks ago [94609]. |
| System | 1. Travelex's computer systems [94366, 94607, 94876, 94212, 94362, 94609] |
| Responsible Organization | 1. Sodinokibi or REvil gang [94366, 94212, 94362, 94609] 2. Ransomware attack [94366, 94212, 94362, 94609] |
| Impacted Organization | 1. Customers of Travelex, including individuals like Natalie Whiting and Stephen Wright, who were unable to receive their ordered currency and faced financial losses [94366, 94362]. 2. Business partners of Travelex, such as Sainsbury's, Tesco, and Virgin Money, who rely on Travelex for currency services and were also affected by the cyber-attack [94366]. 3. Banks like Barclays, Lloyds, and RBS, which use Travelex to provide their travel money services and were unable to sell travel money online or in-store due to the attack [94362, 94609]. |
| Software Causes | 1. Ransomware attack by the Sodinokibi gang, also known as REvil, on Travelex's computer systems [94366, 94607, 94212, 94606, 94362, 94609] |
| Non-software Causes | 1. The failure incident at Travelex was caused by a ransomware cyber-attack carried out by a gang called Sodinokibi, also known as REvil, demanding a ransom of $6 million (£4.6 million) [94366, 94607, 94876, 94212, 94362, 94609]. 2. Travelex's computer systems were taken offline to contain the virus and protect data after the attack was discovered on New Year's Eve [94607, 94876, 94609]. 3. The hackers behind the attack claimed to have gained access to Travelex's computer network six months prior to the attack and downloaded 5 gigabytes of sensitive customer data [94212, 94609]. 4. Travelex had to resort to manual workarounds, such as using pen and paper, to keep money moving at cash desks in airports and on high streets due to the computer systems being offline [94366, 94876, 94362, 94609]. 5. The incident led to disruptions in Travelex's operations across Europe, Asia, and the US, affecting not only Travelex but also partner companies like banks that rely on Travelex for foreign exchange services [94362, 94609]. 6. Travelex faced challenges in communication with employees and customers, with criticism internally about the handling of the cyber-attack [94362]. 7. The attack impacted various services, including online ordering of travel money, leading to inconvenience for customers who had placed orders that were not fulfilled [94362, 94609]. |
| Impacts | 1. Customers were left without travel money from Travelex due to the cyber-attack, with some individuals like Natalie Whiting being unable to collect their ordered currency, resulting in financial losses [94366, 94362]. 2. Travelex's computer systems were taken offline, affecting thousands of sites in multiple countries, leading to disruptions in online orders and services [94366, 94607, 94876]. 3. Business partners like Sainsbury's, Tesco, and Virgin Money, who rely on Travelex for currency services, were also impacted, with their online travel money services being unavailable [94366, 94876]. 4. Banks such as Barclays, Lloyds, and RBS were unable to provide foreign currency services to customers due to their dependency on Travelex, resulting in the halt of travel money orders [94362, 94609]. 5. Travelex employees had to resort to manual processes like using pen and paper to keep money moving at cash desks in airports and on high streets, indicating operational challenges [94366, 94362]. 6. Travelex's website and online systems were taken down, affecting the ability to perform transactions, including online ordering of travel money [94607, 94609]. 7. The incident raised concerns about customer data security, with hackers claiming to have accessed sensitive customer data like dates of birth, credit card information, and national insurance numbers [94212, 94609]. 8. The ransomware attack led to a lack of communication from Travelex to customers, causing frustration and confusion among those affected by the disruption [94366, 94362]. 9. Travelex faced criticism for its handling of the incident, with employees expressing dissatisfaction with the internal communication and management response to the cyber-attack [94362]. 10. The attack highlighted vulnerabilities in Travelex's system, with security experts pointing out previous warnings about weaknesses in the system that were not adequately addressed [94212]. |
| Preventions | 1. Regularly updating and patching software vulnerabilities could have prevented the software failure incident at Travelex. This would have helped in addressing any known weaknesses in the system that could be exploited by hackers [94212, 94362]. 2. Implementing robust cybersecurity measures, such as intrusion detection systems, firewalls, and encryption, could have enhanced the security posture of Travelex's systems and prevented unauthorized access by cybercriminals [94212, 94362]. 3. Conducting regular security audits and assessments to identify and address any potential weaknesses in the system could have helped in proactively mitigating risks and preventing cyber-attacks like the ransomware incident faced by Travelex [94212, 94362]. 4. Enhancing employee training and awareness on cybersecurity best practices could have prevented the software failure incident by reducing the likelihood of successful phishing attacks or other social engineering tactics used by hackers to gain access to the system [94362]. 5. Having a robust incident response plan in place, including regular backups of critical data, could have minimized the impact of the ransomware attack and facilitated a quicker recovery process for Travelex's systems [94212, 94362]. |
| Fixes | 1. Restoring functionality in partner and customer services by Travelex could fix the software failure incident [94609]. 2. Implementing remediation plans to prevent further infection and protect backup systems could help contain the spread of the attack [94362]. 3. Addressing vulnerabilities in the system promptly after being alerted to potential cyber threats could prevent future incidents [94362]. 4. Enhancing communication with employees and customers to keep them informed of developments in real-time could improve the handling of such incidents [94362]. 5. Collaborating with industry-leading cyber recovery specialists to fix the problem and restore normal operations as quickly as possible could mitigate the impact of the attack [94362]. | References | 1. Travelex employees [94362] 2. Travelex spokeswoman [94366] 3. Ransomware gang called Sodinokibi [94366, 94212] 4. Banks like Barclays, Lloyds, and RBS [94609] 5. Metropolitan Police [94362] 6. Cybersecurity expert Bob Sullivan [94212] 7. Financial Conduct Authority [94212] 8. Stuart McKenzie, senior vice president at US cyber-security firm Mandiant Services at FireEye [94362] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | From the provided articles, the software failure incident at Travelex has happened before within the same organization. Travelex was at the center of an IT crisis nearly two years ago when it mistakenly leaked data on thousands of customers of partner Tesco Bank [Article 94607]. This incident involved sensitive information being exposed, indicating a previous software failure incident within the organization. Additionally, the software failure incident at Travelex has also affected other banks and organizations that rely on Travelex for foreign exchange services. Banks like Barclays, Lloyds, and RBS were unable to sell travel money due to the cyber-attack on Travelex [Article 94609]. This shows that the incident has impacted multiple organizations beyond just Travelex. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident occurring due to the development phases: - Travelex experienced a cyber-attack involving ransomware known as Sodinokibi, which was first discovered on New Year's Eve [94366]. - The ransomware gang responsible for the attack, Sodinokibi, claimed to have gained access to Travelex's computer network six months prior to the attack and downloaded 5 gigabytes of sensitive customer data [94212]. - Travelex's computer systems were taken offline to contain the virus and protect data after the attack was discovered [94607]. - Travelex had to take down its online systems to protect data and prevent the software virus from spreading after discovering the attack [94607]. - The incident caused disruption to Travelex's operations in the UK and affected customers in other countries like the US, Australia, and France [94607]. - Travelex had to provide foreign exchange services manually in its branches and work with IT specialists and external cyber security experts to isolate the virus and restore affected systems [94607]. - Travelex employees mentioned that the company was alerted to the cyber attack on December 30, not December 31 as widely reported, and internal communication was described as "scant" [94362]. (b) The software failure incident occurring due to the operation phases: - Banks like Barclays, Lloyds, and RBS were unable to sell travel money after the cyber-attack on Travelex, as they depend on Travelex to provide their travel money services [94609]. - Travelex's website remained offline after the attack, affecting banks that rely on its foreign exchange services for selling travel money online or in-store [94609]. - Travelex was unable to specify when all services would be restored, causing continued disruption to the operation of travel money services for partner banks [94609]. - Travelex employees resorted to using pen and paper for transactions at cash desks in airports and on high streets due to the cyber-attack [94362]. - Customers of Travelex and partner companies were left out of pocket as currency ordered online was not delivered, impacting the operation of currency exchange services [94362]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: - Travelex experienced a ransomware attack on its computer systems, leading to the failure of its online services and affecting thousands of sites in multiple countries [94366, 94607, 94876]. - The ransomware gang, Sodinokibi, was responsible for the attack and demanded a ransom of $6m (£4.6m) from Travelex [94366, 94607, 94212]. - Travelex had to take down its online systems to protect data and prevent the spread of the software virus after discovering the attack on New Year's Eve [94607]. - The attack led to disruptions in Travelex's operations, with cashiers resorting to manual methods like pen and paper to keep money moving at cash desks [94366, 94876]. - Travelex's computer systems were switched off across Europe, Asia, and the US, impacting its ability to provide services [94362]. - Travelex employees mentioned a lack of communication and handling of the cyber-attack internally, causing frustration and criticism within the company [94362]. (b) outside_system: - The ransomware attack on Travelex was initiated by external hackers, the Sodinokibi gang, who demanded a ransom for customer data [94366, 94607, 94212]. - The hackers claimed to have accessed Travelex's network six months prior to the attack and downloaded sensitive customer data [94212]. - The attack affected not only Travelex but also banks like Barclays, Lloyds, and RBS, which relied on Travelex for their foreign exchange services [94609]. - The hackers threatened to sell the stolen customer data online if Travelex did not pay the ransom [94212]. - The incident raised concerns about the vulnerability of high-value companies and public bodies to well-organized and well-funded criminal hacking groups [94362]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - Travelex was hit by a ransomware cyber-attack, specifically by the Sodinokibi gang, demanding a ransom of $6m (£4.6m) [94366, 94607, 94212]. - The ransomware attack led to Travelex taking down its online systems to protect data and prevent the software virus from spreading [94607]. - Travelex confirmed that its computer systems were offline, affecting thousands of sites in multiple countries [94366]. - The ransomware gang claimed to have gained access to Travelex's network six months prior and downloaded 5 gigabytes of sensitive customer data [94212]. - Travelex had to provide foreign exchange services manually in its branches and had to resort to using pen and paper due to the cyber-attack [94876]. - The incident caused disruption in Travelex's operations across Europe, Asia, and the US, with its websites remaining down for "planned maintenance" [94609]. (b) The software failure incident occurring due to human actions: - Travelex employees criticized the company's handling of the cyber-attack, mentioning a lack of real leadership and communication internally [94362]. - Employees within Travelex expressed frustration and lack of information about the situation, similar to how customers were left out of pocket due to undelivered currency orders [94362]. - Travelex faced criticism from security experts for not responding to vulnerabilities in its system promptly, potentially leading to the compromise [94212]. - The ransomware gang, Sodinokibi, demanded a ransom from Travelex, indicating a human-driven extortion attempt [94606]. - The incident raised questions about the handling of the situation internally within Travelex, with employees feeling frustrated and upset due to lack of communication [94362]. |
| Dimension (Hardware/Software) | hardware, software | (a) The software failure incident occurring due to hardware: - Travelex had to resort to manual workarounds using pen and paper at cash desks in airports and on high streets due to the cyber-attack, indicating a hardware failure impact [94366]. - Travelex employees were unable to use their work computers as the documents on their PCs were encrypted by the hack, suggesting a hardware-related impact [94362]. (b) The software failure incident occurring due to software: - Travelex's online systems were taken down to protect data and prevent the software virus from spreading after discovering the cyber-attack, indicating a software-related failure [94607]. - Travelex's computer system was down after hackers demanded a ransom in return for customer data, leading to disruptions in services, highlighting a software-related failure [94362]. - Travelex's website remained offline after a massive cyber-attack, affecting banks that use Travelex for their foreign exchange services, pointing to a software-related failure [94609]. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incident at Travelex was malicious in nature. The incident was a result of a ransomware cyber-attack by a group called Sodinokibi, also known as REvil, who demanded a ransom of $6m (£4.6m) from Travelex in exchange for customer data [94366, 94607, 94212, 94606, 94362, 94609]. The hackers claimed to have gained access to Travelex's network six months prior to the attack and downloaded 5 gigabytes of sensitive customer data, including dates of birth, credit card information, and national insurance numbers [94212, 94609]. The attack led to the disruption of Travelex's computer systems, affecting thousands of sites in multiple countries and causing the company to take all systems offline [94366, 94607, 94876, 94362, 94609]. (b) The incident was non-malicious in the sense that there was no evidence initially to suggest that customer data had been compromised [94607, 94362, 94609]. Travelex stated that they were working to contain the ransomware and protect data, and they claimed that customer data had not been encrypted [94366]. However, the hackers threatened to sell the stolen data online if their ransom demands were not met [94212, 94609]. The incident also affected banks like Barclays, Lloyds, and RBS, which rely on Travelex for foreign exchange services, leading to disruptions in their travel money services [94362, 94609]. |
| Intent (Poor/Accidental Decisions) | poor_decisions, accidental_decisions | (a) poor_decisions: Failure due to contributing factors introduced by poor decisions - Travelex was targeted in a ransomware attack by the Sodinokibi gang, demanding $6m in return for customer data [94362]. - Travelex faced criticism for its handling of the cyber-attack internally, with employees feeling a lack of real leadership and communication [94362]. - Travelex did not have a complete picture of what happened to its data, leading to uncertainty about the extent of the breach and the potential impact on customers [94212]. - Travelex had been warned about weaknesses in its system but did not respond promptly, taking six months to fix a vulnerability that could have led to the compromise of its systems [94212]. (b) accidental_decisions: Failure due to contributing factors introduced by mistakes or unintended decisions - Travelex confirmed that its computer systems were taken offline to protect data and prevent the spread of the software virus after discovering the cyber-attack [94607]. - Travelex employees resorted to using pen and paper to keep money moving at cash desks due to the computer systems being offline, impacting operations [94362]. - Travelex's website remained offline following the cyber-attack, affecting banks that rely on its foreign exchange services for travel money transactions [94609]. - Travelex was unable to provide a specific timeline for when services would be restored, indicating challenges in recovering from the cyber-attack [94609]. |
| Capability (Incompetence/Accidental) | development_incompetence | (a) The software failure incident occurring due to development incompetence: - Travelex faced a ransomware attack by the Sodinokibi gang, also known as REvil, which compromised their computer systems and demanded a ransom [94366]. - Travelex had previously been warned about weaknesses in its system but did not respond promptly, indicating a lack of readiness to handle such attacks [94212]. (b) The software failure incident occurring accidentally: - Travelex's systems were taken offline immediately after the cyber-attack was launched to contain the virus and protect data [94609]. - Travelex employees resorted to using pen and paper to keep money moving at cash desks in airports and on high streets due to the computer systems being offline [94366]. |
| Duration | temporary | The software failure incident at Travelex can be considered temporary as the company was actively working on recovering its systems and restoring functionality. Travelex mentioned that they were making "good progress" in recovering their systems and hoped that employees in their stores would be able to switch on their computers again by the end of the week [Article 94609]. Additionally, Travelex's boss mentioned that they were at a point where they could start restoring functionality in their partner and customer services and would provide additional details to partners during the week [Article 94609]. |
| Behaviour | crash, omission, value, other | (a) crash: Travelex's computer systems were taken offline as a response to the ransomware cyber-attack, affecting thousands of sites in dozens of countries [94366]. Banks like Barclays, Lloyds, and RBS were unable to sell travel money due to the cyber-attack on Travelex, impacting their foreign exchange services [94609]. (b) omission: Travelex customers, including Natalie Whiting, were left without their travel money as orders placed online were not delivered, leading to financial losses [94362]. Banks such as Lloyds, Barclays, and RBS were unable to accept travel money orders online, in-branch, or by telephone due to issues with their travel-money supplier, Travelex [94362]. (c) timing: Travelex's website was taken offline immediately after the cyber-attack, and the firm has not provided a specific timeline for when services will be restored [94609]. Travelex employees resorted to using pen and paper for transactions at cash desks in airports and on high streets after the attack, indicating a delay in service [94362]. (d) value: The ransomware gang, Sodinokibi, demanded $6m from Travelex in return for customer data they claimed to have accessed, including sensitive information like dates of birth, credit card details, and national insurance numbers [94212]. Customers like Natalie Whiting reported being out of pocket after not receiving their ordered travel money, indicating a failure in providing the correct value of services [94362]. (e) byzantine: There is no specific mention of the software failure incident exhibiting byzantine behavior in the provided articles. (f) other: Travelex's communication with employees and customers was criticized as being poorly handled, with internal communication being described as "scant" and lacking real leadership and communication [94362]. The cyber-attack on Travelex led to disruption in operations not only for the company itself but also for its business partners like Sainsbury's, Tesco, and Virgin Money, impacting a wide network of services [94366]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, theoretical_consequence | (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident at Travelex resulted in customers being unable to access their travel money orders, leading to financial losses for individuals like Natalie Whiting who had ordered £1,000 worth of euros through Tesco [94366]. Additionally, banks such as Lloyds, Barclays, and Royal Bank of Scotland were unable to provide foreign currency services to their customers due to their reliance on Travelex's systems, impacting their ability to sell travel money [94362, 94609]. The hackers behind the attack demanded a ransom from Travelex, threatening to delete company computer systems and sell customer data online, potentially putting sensitive information at risk [94366, 94609]. |
| Domain | information, sales, finance | (a) The failed system was intended to support the information industry: - Travelex, a foreign currency trader, had its computer systems offline due to a ransomware attack, affecting thousands of sites in dozens of countries [94366]. - Travelex's online systems were taken down to protect data and prevent the software virus from spreading after the cyber-attack [94607]. - Travelex's websites across Europe, Asia, and the US remained down for "planned maintenance" following the ransomware attack [94606]. - Travelex's website was taken down immediately after the cyber-attack, and its systems were still offline two weeks later [94609]. (h) The failed system was intended to support the finance industry: - Travelex, a currency exchange service, had its computer systems offline due to a ransomware attack, affecting its operations and those of partner companies like Sainsbury's, Tesco, and Virgin Money [94366]. - Banks like Barclays, Lloyds, and RBS were unable to sell travel money as they depended on Travelex's foreign exchange services, which were impacted by the cyber-attack [94609]. (m) The failed system was related to an industry not described in the options: - Travelex's system failure was related to the foreign currency exchange industry, which is not explicitly covered in the provided options [94362]. |
Article ID: 94366
Article ID: 94607
Article ID: 94876
Article ID: 94212
Article ID: 94606
Article ID: 94362
Article ID: 94609