Hackers are holding foreign exchange company Travelex to ransom after a cyber-attack forced the firm to turn off all computer systems and resort to using pen and paper.
On New Year’s Eve, 31st December 2019, hackers launched their attack on the Travelex network. Consequently, the company took down its websites and mobile apps across 30 countries to contain “the virus and protect data”.
A ransomware gang called Sodinokibi has told the BBC it is behind the hack and wants Travelex to pay $6m (£4.6m). The gang, also known as REvil, claims to have gained access to the company’s computer network six months ago and to have downloaded 5GB of sensitive customer data.
Dates of birth, credit card information and national insurance numbers are all in their possession, they say.
The hackers said: “In the case of payment, we will delete and will not use that [data]base and restore them the entire network. The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base.”
The Information Commissioner’s Office (ICO) said it had not received a data breach report from Travelex.
A spokeswoman added: “Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people’s rights and freedoms. If an organisation decides that a breach doesn’t need to be reported, they should keep their own record of it and be able to explain why it wasn’t reported if necessary.”
Under General Data Protection Regulation (GDPR), a company that fails to comply can face a maximum fine of 4% of its global turnover.
London’s Metropolitan Police service is leading the investigation into the cyber attack.
In a statement, the force said: “On Thursday, 2 January, the Met’s Cyber Crime Team were contacted with regards to a reported ransomware attack involving a foreign currency exchange. Inquiries into the circumstances are ongoing.”
Travelex says it is working with police and has deployed teams of IT specialists and external cyber-security experts who have been working continuously.
According to Fabian Wosar, a ransomware expert at cyber security company Emsisoft, the attack has all the hallmarks of the REvil gang.
“With what we know about the incident and the hackers’ mode of operation in the past paints a consistent picture, which leads me to believe that REvil indeed hit Travelex,” he said.
“The REvil/Sodinokibi group has been a quite sophisticated group for a long time now. The quoted ransom demands are consistent for the gang’s victims of Travelex’s size.
“Stealing data essentially gives threat actors additional bargaining chips when it comes to dealing with companies unwilling to pay the ransom. The idea is to weaponise the hefty fines associated with GDPR violations to pressure the company into paying.”
The recovery operation is being coordinated from a Travelex office in the UK, and the company insists that no customer data has been leaked.
However, it would not say what data could potentially be at risk.
Travelex websites across Europe, Asia and the US have been offline since 31 December, with a message to visitors that they are down for “planned maintenance”.
Customers have not been sent any email communication about the cyber-attack, but queries are being replied to on social media by the company, albeit often with quotes from their previously-issued statement.
“The public response from Travelex has been shockingly bad,” said security researcher Kevin Beaumont.
“The Travelex UK website still only says ‘planned maintenance’, a week after the problems began – many customers will be completely unaware hackers gained access to their network, and allegedly their personal data,” he said.
“Travelex have a responsibility to clearly communicate with customers and business partners the gravity of the situation.”
Travelex’s decision to take down its site has meant the large network of other firms that use its services cannot sell currency online.
The company has said it is keeping its partners up to date on the response to the cyber-attack.
Virgin Money’s site showed an error message, which said: “Our online, foreign currency purchasing service is temporarily unavailable due to planned maintenance. The system will be back online shortly.”
Sainsbury’s Bank also said its online travel money services were unavailable, although it said customers could still buy travel money in its stores. In a statement to the BBC, the bank said: “We’re in close contact with Travelex so that we can resume our online service as soon as possible.”
A spokesperson for First Direct, which is owned by HSBC, said: “Unfortunately, our online travel money service is currently unavailable due to a service issue with third party service provider, Travelex.”
In a statement on Thursday, Travelex boss Tony D’Souza said: “We regret having to suspend some of our services in order to contain the virus and protect data.”
The company has resorted to carrying out transactions manually, providing foreign-exchange services over the counter in its branches.
“We apologise to all our customers for any inconvenience caused as a result,” Mr D’Souza said in the statement.
The company has since told the BBC that its systems are currently down and it is unable to sell or reload its prepaid travel cards. But, it said: “Existing cards continue to function as normal and customers in the UK can continue to spend and withdraw money from ATMs. For customers who have ordered money online, please contact Travelex customer services by phone or via social media to discuss their individual situation and requirements.”