A cyber attack on Travelex, the world’s largest retail currency dealer, is the focus of a criminal investigation after hackers demanded a ransom to stop them publishing sensitive customer data including credit card information.
The Metropolitan Police on Tuesday confirmed that it was leading an investigation into the ransomware attack, which was discovered on New Year’s Eve and resulted in the company resorting to manually fulfilling orders after it had to take its services offline.
The UK’s National Cyber Security Centre was already looking at the attack, as well as regulators at the Financial Conduct Authority. The NCSC said it was continuing “to work closely with law enforcement partners and support the affected organisation”.
The BBC reported earlier on Tuesday that a cyber gang called Sodinokibi had contacted the news organisation to claim responsibility for the attack. It said the gang was demanding as much as $6m to prevent it releasing customer information, including dates of birth and credit card information, after first hacking the Travelex network six months ago.
McAfee, the cyber security company, has linked previous Sodinokibi attacks to Iran.
The issue is also affecting banks including Sainsbury’s and Virgin Money, which use Travelex’s foreign-exchange services and have been unable to process customers’ requests. Sainsbury’s said customers were still able to pre-order and purchase currencies in store, at one of the supermarket’s bureaux.
However, the retailer was unable to offer its usual service, whereby customers can order currency online and have it delivered to their homes or pick it up in store.
Virgin Money said: “Investigations by Travelex are ongoing, with no confirmed timescales for resolution.” The bank’s customers are unable to place any orders via the Virgin Money Travel Money website, the contact centre or in branches. Virgin said customers could process orders at a Travelex bureau directly.
The bank said January was a quiet time of the year for currency orders but said a small number of its customers were affected.
Since the new year, Travelex’s website has said its online currency services are temporarily unavailable “due to planned maintenance” and “will be back online shortly”.
Late on Tuesday, Travelex confirmed that the hack had been a Sodinokibi, or “REvil”, ransomware virus and said it had “taken steps to contain [its] spread”.
“Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated,” the company said.
Tony D’Souza, chief executive, apologised for the disruption caused by the attack. “We take very seriously our responsibility to protect the privacy and security of our partner and customers’ data,” he said.
The company’s bureaux and ATMs, which the majority of customers use, remain operational.
Shares in Finablr, the parent of Travelex that publicly trades in London, were down nearly 6 per cent on Tuesday.
Abu Dhabi-based Finablr has not made any comment since last week, when it said it noted Travelex’s statement that it had discovered a software virus.
“Organisations responding to a cyber blackmail incident of this significance need to act quickly and decisively — preparedness is the key to success,” said Ben Derrington, head of business risk and regulation at Ashfords, the law firm. “Such plans can’t be improvised quickly.”