Travelex Sodinokibi ransomware and collapse (2019–2020)
REvil/Sodinokibi operators detonated against Travelex on New Year's Eve 2019 after dwelling in the network for six months via an unpatched Pulse Secure VPN. Travelex paid $2.3 million; parent Finablr failed; PwC put Travelex into administration with the loss of over 1,300 jobs.
- Victim
- Travelex
- Loss
- $2.3M
On New Year's Eve 2019, the London-based currency-exchange company Travelex was hit by REvil/Sodinokibi ransomware. The attack — exploiting an unpatched Pulse Secure VPN flaw the company had been warned about months earlier — set in motion a chain of events that ultimately ended in the collapse of Travelex's parent Finablr and the loss of more than 1,300 jobs.
What happened
REvil operators reportedly entered the Travelex network in mid-2019 via CVE-2019-11510, a Pulse Secure VPN vulnerability that allowed unauthenticated remote credential disclosure. Security researchers had publicly warned Travelex about exposure on this specific vector before the attack; the patch was not applied.
The attackers dwelled in the network for approximately six months and exfiltrated about 5 GB of sensitive customer data — dates of birth, credit-card information, National Insurance numbers — before detonating ransomware on 31 December 2019. Travelex's public website went offline and its currency-exchange operations across 26 countries were severely disrupted.
REvil initially demanded $6 million. After weeks of negotiation, Travelex paid approximately $2.3 million (~285 BTC).
The ransomware was only the start of the problem. The reputational and operational damage compounded with a Finablr accounting scandal already in motion. Parent Finablr failed in its attempt to sell Travelex, and PwC stepped in as administrator — eventually winding down Travelex with the loss of more than 1,300 jobs.
Impact
- Currency-exchange operations across 26 countries disrupted.
- Approximately 5 GB of customer data including DOB, credit-card details, NI numbers exfiltrated.
- $2.3 million ransom paid.
- Travelex entered administration; over 1,300 jobs lost.
- Finablr's collapse compounded by the ransomware fallout.
Why it matters
Travelex is the foundational case study for why patching matters and why ransomware can outlast the company that pays it. An unpatched VPN flaw, ignored despite specific public warnings, killed a 50-year-old foreign-exchange brand. Every modern board-level cyber-risk discussion in UK finance can be traced back to it.
Financial impact
Reported costs in USD
- Ransom paid$2.3M
Timeline
REvil operators reportedly establish access to Travelex's network via an unpatched Pulse Secure VPN vulnerability (CVE-2019-11510) — a flaw the company had been warned about months earlier.
On New Year's Eve, REvil/Sodinokibi detonates ransomware across Travelex's systems, taking the public website offline and disrupting currency-exchange operations in 26 countries.
Bloomberg reports Travelex remains crippled and that REvil is demanding $6 million.
Travelex pays approximately $2.3 million (~285 BTC) to regain access to its data.
Parent company Finablr fails its attempt to sell Travelex; PwC takes over restructuring; Travelex enters administration with the loss of over 1,300 jobs.
Sources
- bankinfosecurity.comhttps://www.bankinfosecurity.com/travelex-paid-23-million-to-ransomware-attackers-report-a-14094
- bloomberg.comhttps://www.bloomberg.com/news/articles/2020-01-07/travelex-crippled-since-new-year-s-eve-by-ransomware-attack
- techradar.comhttps://www.techradar.com/news/travelex-website-was-hit-by-sodinokibi-ransomware
- securityboulevard.comhttps://securityboulevard.com/2020/01/travelex-still-down-two-weeks-after-sodinokibi-ransomware-infection/