Firm facing ransom
Hackers threaten to release Travelex customer data
Customers are told the company is conducting ‘planned maintenance’
Hackers who have disabled the foreign currency trader Travelex are threatening to release customer data unless the company pays a six-figure ransom.
The ransomware attack on New Year’s Eve resulted in Travelex websites in at least 20 countries going offline and forced staff to carry out tasks manually. Many customers have been left without travel money.
The criminals behind the hack are said to be demanding $6m (£4.6m) or they will delete the firm’s computer systems and sell customer data online.
Travelex operates via 1,200 branches in 70 countries asnd its global banking partners, including Barclays, First Direct, HSBC, Sainsbury’s Bank, Tesco and Virgin Money, have also seen their foreign currency dealings hit.
The ransomware strain Sodinokibi, also known as REvil, appeared in April 2019 and is said to have been responsible for a string of high-profile hits, including 22 attacks in Texas.
The gang claims it has downloaded 5 gigabytes of sensitive customer data from Travelex, including dates of birth, credit card information and national insurance numbers.
Travelex says that there is no evidence customer data has been compromised.
A readme.file from the gang obtained by Computer Weekly states: “It is just business. We absolutely do not care about you or your details, except getting benefits. If we do not do our work and liabilities – nobody will not co-operate with us. It is not in our interests. If you do not cooperate with our service – for us it does not matter. But you will lose your time and your data, cause just we have the private key. In practice time is much more valuable than money.”
Researchers from Secureworks Counter Threat Unit (CTU) believe that the group behind the infamous GandCrab ransomware is responsible for Sodinokibi as the decoding functions employed by Sodinokibi and GandCrab are nearly identical.
It was not clear whether Travelex plans to pay the ransom but many of its websites say they are down for “planned maintenance”.
A Travelex spokeswoman said on Tuesday night: “Whilst the investigation is still ongoing, Travelex has confirmed that the software virus is ransomware known as Sodinokibi, also commonly referred to as REvil.
“Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful.
“To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted.
“Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated.
“Having completed the containment stage of its remediation process, detailed forensic analysis is fully underway and the company is now also working towards recovery of all systems. To date Travelex has been able to restore a number of internal systems, which are operating normally.
“The company is working to resume normal operations as quickly as possible and does not currently anticipate any material financial impact for the Finablr Group.”
Tony D’Souza, chief executive of Travelex, said “Our focus is on communicating directly with our partners and customers to protect them and their information from any further compromise.
“We take very seriously our responsibility to protect the privacy and security of our partner and customer’s data as well as provide an excellent service to our customers and we sincerely apologise for the inconvenience caused.
“Travelex continues to offer services to its customers on a manual basis and is continuing to provide alternative customer solutions in the interim. We are working tirelessly to bring our systems back online.”
Travelex is in discussions with the National Crime Agency (NCA) and the Metropolitan Police who are conducting their own criminal investigations, as well as its regulators across the world.
The Information Commissioner’s Office (ICO) said it had not received a data breach report from Travelex.