Storm clouds gather over Travelex for hack blackout

Foreign exchange giant Travelex is facing a storm of protest over the week-long cyber-attack which has forced the business to pull all of its systems offline, affecting millions of its own customers as well as those of partner retailers such as Sainsbury’s, Tesco and Virgin Money.

The attack, which began on New Year’s Eve, is being perpetrated by a ransomware gang called Sodinokibi, also known as REvil, which claims it first gained access to the Travelex’s computer network six months ago and has since downloaded 5 gigabytes of sensitive customer data.

The group claims to have accessed dates of birth, credit card information and National Insurance numbers, although Travelex denies any data has been stolen.

A REvil hacker has told the BBC the group is demanding $6m (£4.6m) or company computer systems will be deleted and customer data sold online.

Travelex confirmed that no direct communication had been sent to customers about the attack, partly because all the computer systems are offline. Visitors to the Travelex UK website are also none the wiser; the site simply says the service is down for “planned maintenance”. Partner sites have similar messages.

A spokesman for the company said: “Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful. To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted.

“Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated.”

However, Travelex has yet to report the incident to the Information Commissioner’s Office, putting the firm potentially in direct contravention of GDPR. Under the regulation, organisations must notify the regulator within 72 hours of becoming aware of a personal data breach, unless they believe the incident does not pose a risk to people’s rights and freedoms.

One customer told the BBC: “I ordered over £1,000 of euros from Tesco bank online for collection in my local Tesco store. The money was taken from my account and an order confirmation was sent to me, but I went to Tesco to collect my euros to be told of the Travelex issue. I am now £1,000 out of pocket after saving up for so long and there’s no information or help.”

Another said: “I ordered euros on December 23 from Tesco. Delivery was due on January 3 but nothing has yet arrived. There has been no communication from Tesco, so I called them. They simply say there is nothing they can do, that I must just wait until the problem is rectified, whenever that will be. I have been forced to purchase more euros elsewhere, leaving me considerably out of pocket.”

The Metropolitan Police’s Cyber Crime team is leading the investigation into the attack, but Travelex has not said whether or not it is negotiating with the hackers and has not given any timeframe for when normal service will resume.

It is not the first time Travelex has been hit by data governance issues. In March 2018, thousands of Tesco customers had their personal details exposed – including date of birth, home and mobile phone numbers, addresses, and email addresses – following a data leak.

Travelex confirmed over 17,000 customers could have been affected, although at the time Travelex insisted that no financial details had been compromised. All customers were offered a free year-long identity fraud protection service through Experian.