Foreign currency trader Travelex has fallen victim to a cyber-attack from a ransomware gang called Sodinokibi.
The criminals behind the hack told the BBC they are demanding $6m (£4.6m) or company computer systems will be deleted, and customer data sold online.
Cashiers have been resorting to using pen and paper to keep money moving at cash desks in airports and on high streets, but orders online have been affected.
The breach was first discovered on New Year’s Eve, and the company called-in specialists from the Metropolitan Police’s Cyber Crime Team. They too all computer systems offline on December 31st, affecting thousands of sites in dozens of countries. This was a bid to contain the attack.
However, customers said they felt let down after being left with no travel money from the company.
One customer, Natalie Whiting from Stevenage, ordered £1,000 worth of euros online through Tesco.
She told the BBC: “I haven’t been able to get a refund of my money; it just seems to be in limbo.”
Travelex says that there is no evidence customer data has been compromised.
Foreign money
Business partners which rely on Travelex for currency services, like Sainsbury’s, Tesco and Virgin Money have also been affected.
Ms Whiting added: “I ordered over £1,000 of euros from Tesco bank online for collection in my local Tesco store on 31 December, ready to be collected on 3 January”
“The money was taken from my account and an order confirmation was sent to me, but I went to Tesco to collect my euros last Friday to be told of the Travelex issue.
“I am now £1,000 out of pocket after saving up for so long and there’s no information or help.”
Computers
Travelex confirmed to the BBC that no direct communication had been sent to customers about the attack, partly because all the computer systems are offline.
Visitors to the Travelex UK website are told that the site is down for “planned maintenance” and partner sites, including Sainsbury’s travel money, have similar messages.
In a statement, the company attributed the outage to more than just “a virus” and confirmed that it had fallen victim to the Sodinokibi ransomware, also known as REvil. “Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful.”
Adding: “To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted.“
The attackers are believed to have gained entry via unpatched Pulse Secure VPN servers. They claimed to have dates of birth, credit card information and national insurance numbers are all in their possession.
The cyber criminals behind the cyber-attack usually gather organisational data before commencing the encryption process. They then threaten to release the data if the targeted organisation does not pay up.
The Travelex statement continues: “Having completed the containment stage of the remediation process, detailed forensic analysis is fully underway, and the company is now also working towards recovery of all systems. To date, Travelex has been able to restore a number of internal systems, which are operating normally.“