Travelex ransomware attack is impacting HSBC, Barclays, Lloyds and more

9 Jan 2020

Some of the institutions impacted by the attack. Image: PA Media

Attackers are reportedly threatening to release 5GB of customer data, including social security numbers and payment card information, if a $6m ransom is not paid.

After a recent cyberattack on Travelex, a number of the UK’s biggest high street banks have been affected, with Royal Bank of Scotland, HSBC and Barclays among those left with no online travel money services.

More than a dozen of the major banking players, also including Lloyds Banking Group and Virgin Money, are reporting that their online foreign currency systems are down following the New Year’s Eve ransomware attack on Travelex.

Many are offering customers services in branches, but orders cannot be processed online.

5GB of personal data held to ransom

London-headquartered foreign exchange company Travelex was forced to take all its global websites offline and is reportedly being held to ransom by the infamous ransomware strain called Sodinokibi, also known as REvil. Sodinokibi has been referred to by some as the “crown prince” of ransomware since its first appearance in early 2019.

It is understood the criminals are demanding cash – speculated to be around $6m – and is reportedly threatening to release 5GB of customers’ personal data – including social security numbers, dates of birth and payment card information – into the public domain unless Travelex pays up.

Travelex is the world’s largest retail currency dealer and provides travel money services for a host of partners, also including the likes of Sainsbury’s Bank and Tesco Bank.

Travelex owner Finablr, which is based in the United Arab Emirates, said late on Tuesday (7 January) it is not expecting a “material financial impact” from the online attack.

Travelex has opened an investigation and confirmed in an update that while there has been some data encryption, and the extent is not yet known, there is no evidence that structured personal customer data has been breached.

‘No evidence that data has been transferred’

Some Travelex business partners have spoken to the PA news agency of their frustration at the lack of information from the company.

Travelex had also not yet formally reported a data breach to the UK Information Commissioner’s Office (ICO). Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms. A company that fails to comply can face a fine of up to 4pc of its global turnover, under GDPR.

Travelex has said it is working towards total recovery after successfully containing affected areas and added that it has managed to restore a number of internal systems.

As part of a detailed forensic analysis, the firm also said there is also no evidence that data has been transferred from the Travelex system, known as exfiltration.

In a statement, Travelex chief executive Tony D’Souza apologised for the inconvenience to partners and customers. He insisted the group was “working tirelessly to bring our systems back online”.

A joint investigation between the UK’s National Crime Agency and the Metropolitan Police is ongoing.

Travelex has a presence in more than 70 countries, and more than 1,200 branches and 1,000 ATMs worldwide. It processes more than 5,000 currency transactions every hour.

– PA Media