Charlie looks at the recent Travelex incident and what we can learn from their response and crisis communications.
Happy New Year to all our readers, I hope you had a great Christmas!
The Travelex incident is one I have only just come across; I think over New Year I was too busy celebrating on the Isle of Coll and I wasn’t really paying much attention to the news, so I have only caught up with the story this week. When reviewing their crisis communications response to their ransomware attack, it seems they were not prepared, it bares all the mistakes of other organisations that have previously responded to similar attacks, such as British Airways and Marriott/Starwood.
Many of the issues I am about to comment on are covered in our Managing and Preparing for Cyber Incidents course, so even though it is too late for them, you might want to consider coming on the course to understand how to prepare your organisation for managing a cyber incident. There have been lots of comments and articles on the Travelex incident, the type of ransomware involved, the ransom demanded, their inability to get systems up and running, so in this bulletin I am going to comment purely on their crisis communications.
The first point to note is that they are both a business-to-business (B2B) and business-to-customer (B2C) organisation. They supply the public with currency ordered through their website, currency to travellers from their shops or booths, as well a prepaid currency cards. Their B2B involves supplying currency services to a number of banks. I always think that B2C incidents are a lot more difficult to manage than B2B services. With B2B, there are usually a limited number of customers and they are perhaps more easy to contact than members of the public.
During an incident, providing timely and updated information to your stakeholders, customers and members of the public is key to maintaining your reputation, people's confidence in the organisation and in showing that you are competently managing the incident. Failure to acknowledge the incident, update the website and social media channels, and provide a way for customers to contact the organisation, are all classic crisis and basic communications mistakes. Ransomware incidents do make communication for the affected organisation more difficult, as it takes away the organisation's usual means of communication, such as their website, contact databases and the ability to communicate through email. Any organisation which is prepared for a cyber-attack knows this and should have made appropriate preparation. The website can be hosted outside the organisation's systems or you can have an alternative website which can be switched in order to provide information and updates on the incident. Social media can be used to provide updates to followers, and the use of web email, such as Microsoft 365, and cloud based CRM systems, such as Salesforce, can ensure that email and customer information can be accessed even if the organisation's systems are unavailable.
For Travelex’s customers there has been an information vacuum and the information given has been wrong, out-of-date and misleading. On the UK Travelex website there has been a single page on their website, and there is one line in English and then in a number of different languages, saying that the site was 'temporary unavailable due to planned maintenance' (see Figure 1).
Figure 1 - UK website for 9 days
There is no contact information about where customers with queries can seek information. Today, nine days after the incident, I noticed they have put some customer information on their website and details on how to contact the organisation (see Figure 2).
Figure 2 - UK website, 9th January 2020
Up until the 7th January there has been a holding page on the front of their main website (www.travelex.com). This gives a little more information on the incident and an apology, but not information on what customers should do if they want their services, how to get money onto one of their currency cards or where further information can be found (see Figure 3).
Figure 3 - Holding statement on the front of the website on the 7th January 2020
Once you have clicked on the statement in Figure 3, you can then click through to their normal website, but the functionality to interact with the website does not work. If you clicked through to the news/press page there is still a cheery announcement about 'Travelex North America Names Tina Ali General Council and Corporate Secretary' from 8th May 2010. This was the last time they updated their news feed, and there was nothing on this feed about the incident. If your website is a key means of communicating with customers, then you need to make sure that you are prepared and have a strategy on how you are going to communicate through it during an incident. The information posted on the 7th January (see Figure 4) is a bit more informative, but still very lacking in detailed information and does not have the Q&A for customers that you might usually expect to be produced in this type of incident.
Figure 4 - Press release on Travelex website, 9 January 2020
Social media can be a key way to communicate with stakeholders, customers and the public, but again Travelex have come up short. If you are going to use social media in an incident you have to build followers, regularly post, and make your social media channels the authentic and authoritative voice of the company. On its UK Twitter, Travelex has only around 8917 followers and has only tweeted once or twice a month, which says to me that they were not taking the use of social media very seriously and so when the incident occurred their use of it was poor. During this incident they have only posted three times on Twitter, giving very basic information, and only on the 8th January did they provide details of how they could be contacted. Before then, if you wanted to contact them, if you read very carefully you could get hold of them directly via Twitter or Facebook, but it was not obvious how to do this. I put in a query on Twitter which was answered within two minutes, but I put in a follow up question which took them almost a further 24 hours to answer. See Figure 5.
Figure 5 - Twitter conversation with Charlie and the timings of replies
In all incidents you should provide a means of contact for your customers to get information on the incident. In a cyber incident your usual means of communications may be compromised, so you need to be able to provide an alternative means of communication. How you do this needs to be planned and when enacted, it needs to be able to deal with the volume of calls and the languages which your callers might speak.
I was passing through Glasgow airport this week and saw one of the Travelex booths, so I had a chat with the ladies who were manning it. They said they could still dispense currency, but they were doing it manually. I noticed they had got a list of the currency exchange rates written on a piece of paper under the counter and they were only able to give a handwritten receipt as they said their systems were all down and they didn’t know when they would be up again. In business continuity terms, they had a manual workaround, and at least in terms of currency buying and selling they could continue trading. Travelex also provides currency services to a number of high street banks. I read that they weren't able to dispense currency, as Travelex hadn't provided them with the actual foreign bank notes. This is the banks' risk in having Travelex as their supplier, and it is affecting the banks service to their customers. I suspect when the incident is over and when their contract is up for renewal, banks may look for an alternative supplier.
It seems that Travelex is only just starting, after 9 days of managing the incident, to get their crisis communications sorted out, but there is very much still a great lack of information. Often organisations don’t disclose publicly how the incident occurred, but they need to provide updated information to their customers on what services they can and can't provide.
I have no inside information on Travelex, but it seems to me that the organisation was ill-prepared for dealing with an incident, especially a ransomware attack, and their crisis communications displayed lots of very basic errors. So, for all readers of the bulletin, would your organisation make the same basic mistakes, or would you handle this better?