On the last day of 2019, much of the world’s population put their problems aside for a night of celebration. The first cases of Covid-19 had begun popping up, and anxiety was spreading faster than the disease itself, but this was still New Year's Eve.
Not so at Travelex. Covid-19 was the least of the currency exchange's worries. As the year drew to a close, it would experience a major cyber attack which crippled its business.
Ransomware-as-a-service operation REvil broke into its systems, forcing Travelex to shut down its websites across 30 countries in the hopes that doing so would contain the virus (computer, not corona), and protect their data.
REvil claimed to have downloaded around 5GB of sensitive customer data, including dates of birth, credit card information, and national insurance numbers and demanded Travelex pay $6 million in ransom.
Reportedly, Travelex negotiated the fee down to around $2.3 million worth of Bitcoin, but by August 2020, the business entered administration because of its debts, and appointed PricewaterhouseCoopers Ltd (PwC) to its multiple subsidiaries.
So far, this sounds like the tale of a company’s downfall. At this point, it becomes a tale of how a changed IT setup saved the organization from total devastation.
Emerging from the ashes
PwC restructured the debt, managing a deal that provided the company with £84 million ($105m) of new funding, saved thousands of jobs, and pushed ahead the company’s plan to move to the cloud.
“We already had some plans in 2019 to move to the cloud, but they weren’t really consistent and the overall story was missing. We didn’t know what that North Star ambition really was,” admitted Hans van der Waal, global IT director of Travelex. “Previously, our IT footprint was pretty scattered all over the place and not executed that well.”
“When 2019 started we were about to start some new activities and figure things out, but Covid came in and had a deteriorating effect on our business. Travelex is very dependent on people traveling, and as you can imagine that was pretty limited in 2019 through 2020 and 2021. But this gave us a window, after the cyber incident, to really figure things out and position our strategy in a way that would reduce costs.”
At the time of the attack, Travelex was functioning out of enterprise data centers spread out across the globe, and as the company continued to grow, these became an unnecessarily complicated web of cables, data, and processes.
The company had three pairs of data centers on three continents. Now, all that remains are two data centers - an enterprise facility in the UK and a colocation data center in Sydney, Australia - which support the company’s networks, older file shares, telephony solutions, and legacy applications which are due for retirement.
“Historically, the company was built on very localized solutions. The team in Asia had its own system developed, and again in the UK or Europe. But then things were brought in via acquisitions and we ultimately had a very complex IT estate with a lot of overlap.
“If we wanted to change something, for example how we do a compliance check, that would need to be replicated in multiple places every time.”
Ultimately, it was decided that a centralized system made far more sense, and Travelex began the process of moving to the cloud. In this case, they chose to use Amazon Web Services (AWS).
to make the move, Travelex had to go through every system, weed out the ones that were duplicated, find those that could be retired and those which could be morphed into applications, and begin making them cloud-friendly.
“We basically did a rationalization,” explained van der Waal. At this point, around 90 percent of Travelex’s enterprise systems have now been moved across to Amazon Web Services (AWS) and, of course, Travelex has employed the highest security solutions AWS offers.
“We wanted to morph CapEx into OpEx, while making things more open and integratable. We definitely improved our risk posture by making these changes.”
The process was not cheap, however. The legacy systems which Travelex moved to the cloud were not designed in a cloud-native way, so it has been expensive to migrate them, and their consumption remains high. But, overall, it was the more cost-effective strategy.
To do this, Travelex had to take a full copy, and load and test it in its cloud destination, reconfigure the connections and linkages across the estate, and then close the application on-premise. It may sound like a simple process, but this came with detailed run books that required the company to follow very specific tests.
Migrating the legacy, too
Travelex started with the lower-usage environments and, as they got more comfortable with the process, began migrating production workloads. In total, Travelex did around 30 cutovers in a year.
A key proportion of Travelex’s IT remains either on-premise or in the company’s colocation sites. One example is Payment Card Industry (PCI) data: The Payment Card Industry Data Security Standard applies to all major card brands and has six categories of requirements for compliance – to build and maintain a secure network and systems, protect cardholder data, maintain a vulnerability management program, regularly monitor and test networks, and maintain an information security policy.
While Travelex does this on-prem, van der Waal says it could be done on the cloud, though notes that it would be essential that you “take additional measures.”
In other cases, the move to the cloud was complicated by regulatory requirements. The company experienced particular issues in China.
The China Banking and Insurance Regulatory Commission (CBIRC) requires cloud providers to agree to regular reporting on the services for the bank, any emergencies require cooperation with CBIRC investigations, strict client confidentiality and the service provider must not carry out activity in the name of the bank.
Travelex had to balance these requirements with having the level of latency necessary to run operations.
“Regulators are themselves an issue,” explains van der Waal. “The regulations in China are quite tough, and we have an operation in China so we hosted that business in a Chinese data center. We moved some of this to the cloud with AWS, but the initial designs didn’t comply with regulations surrounding data protection and how we paid for requirements in the China location. We managed to find network provider checkpoints and a design that would work from a performance, cost, and security perspective while satisfying regulations.”
While the cyberattack was not the sole motivator for Travelex’s move to a cloud-first hybrid IT approach, it did play a significant role. But it is important to note that the cloud is not an inherently more secure option. It’s not about where you store the data, but how you go about protecting it.
In the cloud, security is shared
Ariel Parnes, co-founder and COO of Mitiga, a cloud-specific cyber security company, spoke to DCD about the reality of cyberattacks. As someone who spent 23 years working for the State of Israel and running state-sanctioned cyber-invasions, Parnes has a lot of experience from both the side of those trying to protect data, and the individual attempting to gain access to it.
“It’s a constant competition between the attacker and the defender, and it will never end,” said Parnes.
“With an on-prem environment, the perimeter is very clear. You know where it starts and it ends, and you are the owner of that environment all the way. In the case of a cyber-attack, you would send a team to look for the fingerprints left behind to understand what happened, how that attack impacted your software, firewall, EDR, etc.
“But when you are with the cloud, you are sharing responsibility. Some of the responsibility lies on Amazon to make sure that their environment is secure. You do not own your data in the same way in this case: Amazon owns your data – the fingerprints, the telemetry, the forensic data. So, to investigate these attacks, you need to have already prepared your relationship with that provider, or you will be managing the situation with your eyes closed.”
According to Parnes, what the on-prem/colo/cloud debate does not resolve is the fact that 80 percent of cyberattacks are because of a misconfiguration or, as he puts it, “your house was built wrong and you left the door open.” Ultimately, if you move to the cloud and misconfigure your environment, you are still responsible for that.
Parnes may be biased, but he does believe that ultimately, a move to the cloud is going to improve long-term security.
“Overall, technology is going towards that trend [and shifting to the cloud]. The cloud also brings flexibility to recovery. After an on-prem attack, sometimes you will need to buy new hardware and install it, whereas in the cloud, it's all virtual and can be recovered with the press of a button.”
Alive - but changed
Travelex has to ensure security both on and off premises. “On-prem, the main security is provided through firewalls in the data center which is segmented to a certain degree,” explained van der Waal.
Beyond that, AWS offered the company additional security tools and logging-as-a-service so the company didn’t need to invest in and implement additional on-premise tooling. While the exact calibration was not shared, van der Waal offered AWS Security Groups as an example, explaining that it enabled the company to implement micro-segmentation across the estate and through infrastructure as code (IaC).
More than anything, achieving the hybrid IT set-up was a collaborative effort for Travelex. The company faced a pandemic and multi-million-dollar ransom and still came out of it on the other side, alive and breathing but different.
And, according to van der Waal, the company has no plans to go back.