> series: anatomy_of_a_breach —— part: 132 —— year: 2019 —— verdict: ransomware_industrialised_credentials_commoditised —— closing: travelex_nye<span class="cursor-blink">_</span>_
On 31 December 2019 — literally the final hours of the decade — REvil (Sodinokibi) ransomware struck Travelex, the London-headquartered foreign exchange company. The attack encrypted Travelex's systems, and the attackers demanded $6 million in ransom, claiming to have also stolen 5GB of customer data including dates of birth, national insurance numbers, and payment card information. Travelex took all its systems offline — affecting not just its own retail operations but the foreign exchange services it provided to major UK banks including Barclays, HSBC, Tesco Bank, and Virgin Money, which all lost access to foreign currency services.
The Travelex attack, which exploited a known vulnerability in Pulse Secure VPN (CVE-2019-11510, patched in April 2019 — eight months before the attack), was the perfect closing chapter for a decade of breaches. A UK company. A known, patched vulnerability. A ransomware group that would become one of the most prolific of the 2020s. And consequences that cascaded through the UK banking supply chain. Travelex reportedly paid $2.3 million in ransom and later entered administration, citing the combined impact of the ransomware attack and the COVID-19 pandemic.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call| # | Breach | Key Lesson |
|---|---|---|
| 121 | Collection #1 | 773M emails. 2.2B credentials total. Password-only authentication is over. |
| 122 | 620M Accounts Dump | One hacker, 16 sites, $20K. Credentials are a commodity cheaper than a used car. |
| 123 | Norsk Hydro | $75M recovery, zero ransom paid. The benchmark for how to handle ransomware with integrity. |
| 124 | Facebook Plaintext | Hundreds of millions of passwords in searchable plaintext logs. Since 2012. Third Facebook incident. |
| 125 | WhatsApp / Pegasus | Zero-click phone compromise via missed call. Surveillance tech targets journalists and lawyers. |
| 126 | Baltimore Ransomware | EternalBlue — still. 26 months after the patch. Second US city after Atlanta. |
| 127 | Capital One | 106M records via SSRF → metadata → S3. Cloud-native attack chain. $80M fine. |
| 128 | Imperva | Sixth security vendor breached. API key exposed during cloud migration. |
| 129 | Ecuador | 20.8M citizens — the entire population including the dead. No authentication on database. |
| 130 | NordVPN | VPN provider breached through data centre management interface it didn't know existed. |
| 131 | Labour Party DDoS | UK: DDoS during a general election campaign. Democratic processes are cyber targets. |
| 132 | Travelex + Year in Review | UK: REvil ransomware on NYE. Known VPN vulnerability unpatched 8 months. UK banks disrupted. |
The Anatomy of a Breach series has now documented 132 incidents across an entire decade — from HMRC's lost CDs to Travelex's New Year's Eve ransomware. The threats evolved from lost CDs to nation-state cyber weapons. The scale grew from thousands to billions. The consequences escalated from £1,000 ICO fines to hundreds of millions in GDPR penalties. But the root causes — unpatched systems, weak authentication, absent monitoring, misconfigured infrastructure, and the persistent gap between security policy and practice — remained stubbornly, dangerously unchanged.
As the 2020s begin, the threats will only intensify: COVID-19 will create new attack surfaces through mass remote working, ransomware gangs will adopt double extortion, supply chain attacks will reach new heights with SolarWinds and MOVEit, and AI will transform both attack and defence. The controls remain the same: penetration testing, Cyber Essentials certification, SOC in a Box monitoring, and incident response capability. A decade of evidence. One conclusion. Implement now.
<a href="/penetration-testing">Test</a>. <a href="/cyber-essentials">Certify</a>. <a href="https://www.socinabox.co.uk">Monitor</a>. <a href="https://www.cyber-defence.io">Prepare</a>. A decade of evidence demands nothing less.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call