Cyber Incident Victim: Carlson Wagonlit Travel

Carlson Wagonlit Travel (CWT), a corporate travel management firm, experienced a ransomware attack around July 18-19, 2020, leading to a complete shutdown of its systems as a containment measure. The incident was publicly revealed on July 30, 2020, when a Twitter user disclosed both the breach and the ransom payment. Malware analysis sites linked the attack to Ragnar Locker ransomware, with a sample uploaded on July 27. CWT reportedly paid approximately 400 Bitcoins ($4.5 million at the time) to regain access to encrypted data, though the company declined to confirm this when questioned. The firm resumed operations after temporarily disabling its systems, stating the incident had "ceased" by July 31. CWT emphasized no evidence indicated compromise of personally identifiable information (PII) or traveler data, though its investigation remained in early stages at the time of reporting.

The attack disrupted CWT's business-to-business-to-employee (B2B2E) travel and hotel booking services, impacting corporate clients who relied on its platforms. The company notified some corporate customers about the breach but asserted individual traveler data remained unaffected, limiting notifications to that scope. CWT engaged external forensic experts to investigate the intrusion while maintaining that customer data security was its "top priority." The UK Information Commissioner's Office confirmed it had not received a breach notification from CWT as of July 31, despite the company's significant UK operations. The incident followed a pattern of high-profile ransomware payments, including Garmin and Blackbaud that same month, though CWT's $1.5 billion annual revenue likely mitigated the financial impact of the ransom. No technical details about initial access vectors, data exfiltration, or specific affected systems were disclosed publicly.