Travel Management Firm Pays $4.5 Million Data Ransom, The Negotiation Is Online For All To Read

At the end of July travel management first CWT (formerly Carlson Wagonlit Travel), which is one of the largest firms handling business travel, meetings, and conferences, representing more than one-third of companies on the S&P 500, paid $4.5 million after a ransomware attack.

In a ransom note left on infected CWT computers and screenshots posted online, the hackers claimed to have stolen two terabytes of files, including financial reports, security documents and employees’ personal data such as email addresses and salary information.

Hackers had encrypted corporate files and taken 30,000 computers offline with ‘Ragnar Locker’ malware. That happens with some regularity. Foreign currency dealer Travelex blames ransomware for its bankruptcy though certainly Covid-19 has as much to do with it.

What’s unique about the Carlson attack is that the negotiations between the company and the hackers were left online for anyone to read.

  • Hackers demanded $10 million to unlock the CWT files and delete their copy of the data

  • CWT, though, pleaded poverty as a result of Covid-19 and haggled down to $4.5 million in bitcoin.

I have to wonder whether the hackers left money on the table, if CWT was willing to spend $4.5 million why wouldn’t the billion dollar revenue firm spend more even in a challenging economic environment? Although hackers probably shouldn’t be targeting travel companies now. Willie Sutton said he robbed banks because that’s where the money is. And despite leveraging up, accessing large amounts of cash to make it through the current crisis, it’s not clear that travel is where the money’s at right now.

(HT: Marginal Revolution)

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »


  1. It is a safe bet that while CWT was doing the negotiating they were doing it with the money of their cybersecurity insurer. My guess is that if you knew their policy limits the number that was arrived at would make a decent amount of sense. Just guessing, though. No inside info.

  2. If you run your business on a legacy windows server you kind of deserve to pay this. Windows is like wearing a kick me sign on the internet.

  3. @Andy – you’re not wrong, but just remember: hubris is really the enemy of security. If you think you’re safe because you run Linux, you’ll be having this conversation in a ‘support session’ as well.

  4. @Gary – The number one obstacle to getting a payout in a ransomware situation is the victim’s perception of the ransomer. If the victim believes that the ransomer will act in bad faith (not return the system to its owner, not delete their copies, or the pricing is too high), then future victims will be less likely to deal. If, the ransomer is “professional”, the final price is “reasonable” (even better if the victim feels like they “saved” money in the deal!), and the transaction itself ends up as negotiated, then future victims will be more willing to negotiate and pay vs. taking a hardline stance of never negotiating and never paying. By leaving money on the table for this single transaction and publicly displaying their professionalism, they will more than make it up through future victims’ willingness to deal.

  5. While there are exception, most security problems are due to companies ignoring it and hiring people on the cheap who don’t know what they are doing. Then you have companies that may hire professionals but they ignore the advice because they don’t want to change their systems, don’t want to take the time/effort to upgrade, or just think they are unlikely to be a victim.

    Sadly there are a ton of systems out there that are easy prey.

    You had Baltimore where they literally backed up data to the local hard drive. Obviously a city with limited funds but they certainly didn’t spend the funds wisely.

    And it is one thing if you get targeted by a determined, well organized group that has a ton of resources to get into your system and another when it takes limited effort and skill.

  6. I cannot believe these cyber thieves cannot be found!! Some bank got the $$$4.5 million??????

  7. Banks do not handle Bitcoin. Get rid of Bitcoin and other virtual currencies and this can’t happen.

  8. I had one client whose system go locked by these Russians. They wanted $300 to unlock the computer. They did not know it was worth more then that. Based on us telling them to replace their computer people their new ones had them upgrade their main computer and install nightly off site backups. They then told the hackers NO and restored the backup from the night before

  9. 3M issued a statement that there are no studies indicating the exhaust valve provides more or less protection to others than various not respirator masks, and that particle physics suggests large droplets would attach to the exhaust valve of it’s products. The company further points out that a properly sealed n95 or n100 will protect against leakage in both inhalation and exhast…and that the standard surgical masks you see people wearing do not provide this protection against leakage.

    Apart from 3m ‘s statement, I’d suggest people wear one of their masks with the cool -flow exhaust. While wearing it,, even blowing into the mask directs the flow of exhaust downward, not outward.
    Putting a surgical mask on top of my N100 with exhaust is what I will do if I need to fly….not just use a surgical mask.

  10. If it is important, it should be backed up. If the backups are not tested they are not backups.

    If it is sensitive, it should be encrypted

Leave a Reply

Your email address will not be published.