Uh-oh! @StateDept’s Travel Provider Gets Hacked, Pays $4.5M in Bitcoin

 

Reuters reported last week that CWT (formerly Carlson Wagonlit Travel) was hit with a strain of ransomware called Ragnar Locker, which encrypts computer files and renders them unusable until the victim pays for access to be restored. “Hackers who stole reams of sensitive corporate files and said they had knocked 30,000 computers offline.”
Elsewhere it is reported that the hackers “may have stolen 2 terabytes of data, allegedly including thousands of global executives credentials. This is particularly worrisome given CWT provides travel services to as much as 33% of the Fortune 500.”
ITNews notes that “CWT, which posted revenues of US$1.5 billion last year and says it represents more than a third of companies on the S&P 500 US stock index, confirmed the attack but declined to comment on the details of what it said was an ongoing investigation.”
The news mainly talks about the 2 terabyte of sensitive files exfiltrated which supposedly include global executive credentials, but a CWT division, CWTSatoTravel is one of two contractors awarded a master contract by GSA “responsible for soliciting and managing travel for the U.S. military and government clients.” Government clients include the State Department where Carlson Wagonlit manages its travel management center.
According to GSA, the U.S. Federal Government is the largest consumer of travel services in the world.  ETS2, the government’s current Travel & Expense management solution, serves an active user base of over 1 million Civilian Government employees, and was used for 86 percent of all civilian agency travel in 2017.

ETS2 is a competitively bid master contract with two vendors providing agencies travel and expense software, hosting, and support services based on fixed-price transaction fees, which is a unique program within the Federal Acquisition Service (FAS).

Competitively bid ETS2 contracts were awarded to:

      • Concur Technologies, Inc., of Redmond, WA, in June 2012; and
      • CWTSatoTravel, of Arlington, VA, in September 2013.

CWTSatoTravel is the division of Carlson Wagonlit Travel (CWT) responsible for soliciting and managing travel for the U.S. military and government clients. CWT is a global leader specialized in managing business travel and meetings and events.

The 2019 DOS Financial Report describes its Travel Systems Program

In 2016, the Department successfully transitioned to the next generation of the E-Government Travel Services (ETS2) contract with Carlson Wagonlit Travel. In 2016, the Department also implemented the Local Travel module allowing for the submission of local travel claims for expenses incurred in and around the vicinity of a duty station. The Department expanded the use of the Local Travel feature to also accommodate non-travel employee claims previously submitted through an OF-1164. In the Local Travel module, approvers will electronically approve claims and provide reimbursement to the employee’s bank account via EFT. The Department has completed this implementation for 118 posts overseas.

The Department continues to work with our bureaus and posts to identify improvements that can be made to the travel system. The Department also participates with other agencies to prioritize travel system enhancements across the Federal Government landscape. The Department worked with Carlson Wagonlit Travel to enhance the functionality of the Local Travel feature to more closely align with the temporary duty travel functionality for foreign currency and approver expense reduction options. The Department continues to work with Carlson Wagonlit Travel on enhancements to support integration improvements with our financial systems. The Department continues to work with Carlson Wagonlit Travel on enhancements to support the implementation of the Local Payments module domestically and has initiated work to implement mobile capabilities for approvals and reservations.

Somebody asked if anyone has  publicly acknowledged that the initial hack may imply a massive potential personally identifiable information  (PII) leak on the scale of the eQIP compromise.” 
The company released a statement to The Register saying “we have no indication that PII/customer and traveller information has been affected.”
Has Foggy Bottom said anything?