- Customers of banks including HSBC, Barclays, Lloyds and Westpac have been unable to get cash in foreign currencies more than a week after a Dec. 31 ransomware attack caused a disruption at currency exchange company Travelex, The Wall Street Journal reported Thursday.
- Travelex shut down its computer systems to stop the software virus known as Sodinokibi, or REvil, from further spreading across its network, the company said in a statement. The virus acts by locking up a network’s data in encrypted code. Travelex’s consumer-facing websites and app have been offline since the attack.
- In addition to handling banks’ online currency exchange services, Travelex operates more than 1,200 kiosks in airports and other tourist locations, and issues prepaid debit cards loaded with foreign currencies. Agents manning the locations have been tallying customer transactions using calculators and writing receipts by hand, the Journal reported Tuesday. Travelex has told its debit-card customers to access account information by phone or through alternate websites.
Hackers told the BBC on Wednesday they have downloaded 5 gigabytes of sensitive customer data since infiltrating Travelex’s network six months ago. They are demanding $6 million to return the data, which they’ve threatened to sell if Travelex doesn’t respond by Jan. 14. Hackers told Lawrence Abrams, a New York-based security researcher, the data includes dates of birth, Social Security numbers and credit-card numbers, and that they deleted all data backup, according to The Wall Street Journal.
Travelex said in its statement it has contained the threat and there is "no evidence to date that any data has been exfiltrated," nor that any "structured personal customer data has been encrypted." But it added it doesn’t have a "complete picture" of what happened to its data.
The ransom may pale in comparison to any penalties London-based Travelex may receive if regulators determine the company didn’t do enough to protect customer data. Under European law, companies can be fined up to 20 million euros ($22 million) or 4% of the previous year’s worldwide annual revenue, whichever is higher. Travelex reported revenue of about $952 million in 2018, according to The New York Times.
London’s Metropolitan Police are leading a criminal investigation into the attack. Travelex has also hired cybersecurity experts to conduct forensic analysis.
Travelex’s recovery process won’t be as simple as just booting someone out of a system, David Grout, a regional chief technology officer for the security company FireEye, told the Times. It could take weeks for Travelex to determine how the hackers accessed the network. "Companies like them will need to rebuild some part of the architecture to understand the nature of the attack," Grout said.
Travelex said it did not anticipate any "material financial impact" for its owner, Finablr Group. But Finablr shares have fallen more than 15% since Travelex confirmed the attack.
The affected banks have not been reluctant to place blame on their third-party provider.
"Unfortunately we are unable to process foreign-currency orders due to an issue with our service provider, Travelex," Barclays said in an emailed statement. "We are sorry for the inconvenience and will be restoring the service as soon as we are able to do so."
The Royal Bank of Scotland said customers who had placed money orders in branches would be refunded if their orders were not fulfilled.
Third-party disruptions can severely damage business, as well as customers’ confidence in a bank. BB&T sued computer hardware vendor Hitachi Vantara in November, claiming the company was responsible for a "catastrophic" outage that kept millions of customers from accessing the bank’s online, mobile, ATM and wire transfer services for 15 hours over several days in February 2018. The outage cost the bank "about $15 million in lower deposit service charges and about $5 million in higher operating expenses," CFO Daryl Bible told analysts in April 2018.
Digital bank Chime also experienced an outage over two days in October because of a glitch at payment processor Galileo, which powers the platform. Colin Walsh, the CEO of competitor Varo, has said his fintech had one of its best weeks at Chime’s expense.
And Capital One unveiled a breach in July in which a former employee of cloud provider Amazon Web Services is charged with exposing 106 million customers’ sensitive data.
Travelex declined to say how many customers had been affected.