Hackers holding Travelex to $6 million ransom

It has emerged that Travelex, the international foreign exchange company, has been forced off line by a ransom demand for $6 million (£4.6 million) by Russian hackers.

The hackers, calling themselves Sodinokibi, forced the firm to shut down all its computers with a ransomware attack on New Year’s Eve.

The firm are still trading, but are having to resort to pen and paper for over the counter transactions.

Planned maintenance

Visitors to the firm’s website are told that it is temporarily down for planned maintenance.

But the hacking gang, also known as REvil, called the BBC to claim responsibility for the attack and to make known their ransom demand.

Travelex were forced to take down their sites in 30 countries across the world ‘to contain the virus and protect data’.

However, the hackers claim they gained access to the Travelex network six months ago and downloaded five gigabytes of ‘sensitive data’.

Credit card information

They claim it contains date of birth, credit card information and National Insurance numbers.

The hackers told the BBC: “In the case of payment, we will delete and will not use that database and restore them the entire network.”

Deadline

The conversation ended with a threat of action if the ransom is not paid on time.

The caller said: “The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base.”

Investigation

The Metropolitan Police is leading the investigation into the attack and said in a statement: “On Thursday, 2 January, the Met’s Cyber Crime Team were contacted with regards to a reported ransomware attack involving a foreign currency exchange. Inquiries into the circumstances are ongoing.”

Travelex has called in external cyber-security experts to back up their own teams of IT specialists who have been working continuously in partnership with the police.

Ransomware

Ransomware expert Fabian Wosar said the attack bore all the hallmarks of the REvil/Sodinokibi group.

He said: “This has been a quite sophisticated group for a long time now. The quoted ransom demands are consistent for the gang’s victims of Travelex’s size.

Bargaining chips

“Stealing data essentially gives threat actors additional bargaining chips when it comes to dealing with companies unwilling to pay the ransom.

“The idea is to weaponise the hefty fines associated with GDPR violations to pressure the company into paying.”

A statement from Travelex insisted no customer data has been leaked, but they will not say what data is at risk.

Steps

The statement said: “Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful.

To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted.

“Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated.”

Data breach

The Information Commissioner’s Office says no data breach rep[ort has been received from Travelex and, under new General Data Protection Regulation (GDPR) rules, firms are required to submit a report within 72 hours unless it does not pose a risk to people’s rights and freedoms.

Failure to comply with the regulations could mean the company facing a penalty of up to 4% of its global turnover.

Compromised

The Travelex shutdown has affected a large network of other firms who have had their ability to sell currency online compromised.

Virgin Money, First Direct and Sainsburys Bank have all apologised to their customers for not being able to offer their usual online currency services.

Statement

In a statement Travelex boss Tony D’Souza said: “We regret having to suspend some of our services in order to contain the virus and protect data.

“We apologise to all our customers for any inconvenience caused as a result.”

No travel money

Some Travelex customers who had already ordered money online have not received it and have so far not been told when they will get a refund.

Natalie Whiting of Stevenage told the BBC she had ordered over £1,000 of euros online through Tesco which uses the Travelex service.

She said: “I haven’t been able to get a refund of my money, it just seems to be in limbo.

Confirmation

“I ordered over £1,000 of euros from Tesco Bank online for collection in my local Tesco store on December 31st, ready to be collected on January 3rd.

The money was taken from my account and an order confirmation was sent to me, but I went to Tesco to collect my euros last Friday to be told of the Travelex issue.

“I am now £1,000 out of pocket after saving up for so long and there’s no information or help.”