Travelex: Banks halt currency service after cyber-attack

  • Published
TravelexImage source, Getty Images

A number of High Street banks have stopped customers ordering foreign currency, following a ransomware cyber-attack on Travelex.

Problems at Lloyds, Barclays and Royal Bank of Scotland follow disruption at supermarkets Sainsbury's and Tesco.

All get their foreign notes from Travelex, whose computer system is down after hackers demanded $6m (£4.6m) in return for customer data.

Travelex says there is no evidence customer data has been compromised.

However, Travelex cashiers have been resorting to using pen and paper to keep money moving at cash desks in airports and on the High Streets.

And banks are now reporting their supply of notes from Travelex has dried up following the cyber-attack, which struck last week.

An RBS representative said: "We are currently unable to accept any travel money orders either online, in branch or by telephone due to issues with our travel-money supplier, Travelex.

"We apologise for any inconvenience caused."

Lloyds and Barclays issued similar statements. One source said the banks were dependent on Travelex resolving its disruption before they could restore their travel-money service.

Travelex employees have told BBC News the company has been left "shell-shocked" by the continuing ransomware cyber-attack.

One source said his company's communication with employees and customers seemed to be "a masterclass in what not to do".

The employee, who wants to remain anonymous, said there is fierce criticism internally at the way management has handled the affair.

In an email to the BBC, he said: "I couldn't help but laugh at the suggestion that the public response has been "shockingly bad". This is nothing compared to how it's been handled internally. It feels like there is a distinct lack of real leadership and communication."

The company says it is working with industry-leading cyber recovery specialists to fix the problem, and insists it is doing all it can to keep its customers and employees informed.

Computer systems in the company's offices and currency shops across Europe, Asia and the US have been switched off since the attack took place around New Year's Eve.

The anonymous worker said: "I've not been able to use my work computer for a week. The docs on my PC have all been encrypted by the hack, but the docs I stored on the cloud server have not, which would seem to suggest the hackers haven't got too far into our system."

'Frustrated and upset'

The employee claims that the company was alerted to the cyber attack at about 21:00 GMT on the 30 December, not 31 December as has been widely reported. He alleges internal communication has been "scant", but that since then IT teams have been working flat-out buying and setting up new PCs and replacing certain software.

Another employee, who also wishes to stay anonymous, said it is a similar picture in his department. In an email he said: "I work for Travelex and... low down in the ranks we have no clue what is happening. We are as frustrated and upset as the customers are."

Media caption,

Technology explained: what is ransomware?

A spokeswoman for the firm said: "Travelex is gradually restoring a number of internal systems and is working to resume normal operations as quickly as possible. We have been keeping our employees informed of all developments in real time and will continue to keep them updated as our recovery process continues."

Meanwhile customers of Travelex, and it's many partner companies, have told the BBC they have been left out of pocket as currency ordered online has not been delivered.

One customer, Natalie Whiting, from Stevenage, ordered £1,000 worth of euros online through Tesco. "I haven't been able to get a refund of my money, it just seems to be in limbo," she told the BBC.

Travelex now says it has processes in place in shops around the world to prevent this sort of situation for customers. In a statement the company said: "We have in place manual workarounds for all our retail services, including collection of pre-ordered currency from our bureaux.

Image source, Natalie Whiting
Image caption,

Natalie Whiting hasn't received her euros

"Travelex systems are currently down and we are unable to sell or reload travel cards. However, existing cards continue to function as normal and customers can continue to spend and withdraw money from ATMs.

"Customers who acquired their card in the UK can view their balance and transaction information at uk.travelexmoneycard.com, and reload cards by calling Mastercard's call centre, the number which is on the back of the card."

Customers who have ordered money online are asked to contact Travelex customer services by phone or via social media to discuss their individual situation and requirements, the company added.

Travelex said there is no evidence that customer data has been compromised, but the hackers, known as Sodinokibi or REvil, have told the BBC they have downloaded 5GBs of valuable customer data and will sell it online in six days time unless Travelex pays them an ever-rising ransom. The ransom demand currently stands at $6m (£4.6m).

'Multiple challenges'

Travelex said it is working closely with the Metropolitan Police, which is leading the investigation into the attack.

The currency firm is not the only company to fall victim to ransomware. In the last year the trend has been that well-organised and well-funded criminal hacking groups have targeted high-value companies and public bodies. Earlier this week a US maritime base was forced offline for more than 30 hours.

Stuart McKenzie, senior vice president at US cyber-security firm Mandiant Services at FireEye, described what it could be like for incident-responders at Travelex. "The security team will be assessing the malware and attempting to contain the spread of the attack.

"Remediation should be being planned to identify how to prevent further infection whilst protecting backup systems. In these cases, the security team will be faced with multiple challenges, including from the business itself in attempting to understand what is happening.''

Initiatives like the No More Ransom campaign publicly encourage victims not to give in to hackers' demands with partner Europol regularly stating that paying fuels the criminal industry.

However, not paying can be extremely costly. Steel producer Norsk Hydro was hit by the LockerGoga ransomware last March. Some 170 factories and offices were taken offline, with manufacturing partially suspended. The hackers demanded an estimated £300,000 but the company instead refused to negotiate and has spent about £50m recovering operations.