Travelex, the foreign currency exchange service whose services have been knocked offline since New Year’s eve by a cyber attack, is declining to say if it has paid a ransom to the criminals responsible.
Earlier today the organisation published a customer update about its ongoing attempts to resume normal operations, which saw for the company’s CEO Tony D’Souza break cover for a video statement, and run through a series of customer FAQs.
In the update Travelex underlines the message it gave in a press release earlier in the week that it was making “good progress” although it has been widely criticised for its response to the attack.
Notably D’Souza attempts to reassure public concerns that their data may have been put at risk, but stating that Travelex has “not uncovered any evidence to suggest that any customer data has left the organisation”.
Of course, an absence of evidence is not evidence of absence. Data is different from the Mona Lisa. If someone steals the Mona Lisa, you notice the gap in the wall of The Louvre. It’s not as simple as that with data.
Travelex is declining to comment on how the REvil ransomware (also known as Sodinokibi) managed to infect its systems. I’ve also not seen them comment on media reports that the hackers responsible for the attack have demanded a $6 million ransom be paid for the safe return of what they claim is 5GB worth of sensitive data.
But the question I hoped Travelex’s CEO would answer was this: has Travelex paid any ransom demands?
ZDNet journalist Danny Palmer *did* ask that question, and I think Travelex’s answer (or rather lack of answer) might be telling:
I asked if a ransom has been paid to the cyber attacks.
“There is an investigation ongoing. We have taken advice from a number of experts and we are not discussing this,” as the reply from a Travelex spokesperson.
Story coming soon…
— Danny Palmer (@dannyjpalmer) January 17, 2020
Other organisations hit by ransomware haven’t been afraid to say that they will not pay the ransom. I wonder why Travelex doesn’t feel comfortable making a similar assertion?
If you have a secure backup, and if you have the systems in place to restore that backup in a safe, prompt fashion, then you shouldn’t need to ever consider paying the criminals behind a ransomware attack.