Police are investigating hackers holding Travelex’s computers for ransom, forcing the company’s staff to resort to using pen and paper to record transactions.
The firm initially said it had discovered the attack on New Year’s Day and immediately took its systems down, with its early investigations suggesting that no personal or customer data has been compromised.
However individuals claiming to be affiliated with the group have told journalists that information was stolen from the company’s networks and could be released online if the ransom wasn’t paid.
Exchange services are having to be handled manually in branches during the outage, the firm has claimed.
Travelex confirmed on Tuesday night reports that it was hit by the Sodinokibi ransomware – also known as Revil.
It reiterated that the spread had been contained and there was no evidence that structured personal data had been encrypted or stolen, saying it was working with experts to complete a recovery of its systems.
In its statement about Travelex, the Metropolitan Police said its cyber crime team was making enquiries “with regards to a reported ransomware attack”.
Online news site BleepingComputer independently reported the same malicious software had hit the company, and that one of the hackers had claimed to have encrypted the company’s entire network.
The cyber criminals were reportedly demanding $3m which was to be paid in seven days from the day of the attack or they would publish all of the information which they stole.
Ransomware is one of the most commons methods hackers use to make money out of their access to victim’s computer networks.
This malicious software will encrypt the files on the computer – making them inaccessible unless the victim pays the hackers in order to receive the key which would decrypt their files.
A ransomware attack known as WannaCry which severely impacted the NHS in 2017 was subsequently blamed on the North Korean regime attempting to raise funds amid sanctions over its nuclear programme.
When the attack on Travelex was first announced, chief executive Tony D’Souza said: “We regret having to suspend some of our services in order to contain the virus and protect data.
“We apologise to all our customers for any inconvenience caused as a result. We are doing all we can to restore our full services as soon as possible.”
Third parties which work with Travelex to provide foreign currency purchases including Sainsbury’s Bank and Virgin Money are also currently unavailable.
The company’s website currently reads: “Our online, foreign currency purchasing service is temporarily unavailable due to planned maintenance. The system will be back online shortly.”
Travelex has a presence in more than 70 countries and has more than 1,200 branches and 1,000 ATMs worldwide, with exchange machines a common sight at airports, and customers can also use a smartphone app.
The London-based firm processes more than 5,000 currency transactions every hour.
The issue comes almost two years after the company was embroiled in another IT crisis, when it mistakenly leaked customer data from thousands of Tesco Bank accounts.
The group, which provided foreign currency on behalf of Tesco Bank, shared the database by mistake in March 2018, exposing the details of 17,000 people.
Those included full names, emails, phone numbers, IP addresses and the final digits of bank cards.
Brett Callow, a cyber security expert and threat researcher at security firm Emsisoft, told Sky News: “Ransomware groups are now stealing data prior to encrypting it, meaning that ransomware incident are now effectively data breaches.
“Consequently, prevention and early detection are more critical than ever. A company whose data is stolen has no good options available.
“The fact that Travelex appears not to have patched servers which it had been notified were vulnerable can only be described as shockingly negligent,” Mr Callow added.
If the UK’s data watchdog, the Information Commissioner’s Office (ICO), shares Mr Callow’s opinion about Travelex being negligent then the company could be in for a large fine of up to 4% of its global turnover under new data protection laws.