UPDATE: June 7, 2020: An investment company backed by Brazilian billionaire Joseph Safra is considering a takeover bid for foreign exchange provider Travelex, the Mail on Sunday reported Saturday.
The bid comes more than a month after Travelex's parent company, Finablr, revealed it held about $1 billion in debt that it hadn't disclosed to its board — a figure that was “materially above” what it had reported last June, according to a statement.
Travelex appointed PricewaterhouseCoopers to find a buyer. Other potential bidders include Los Angeles-based investment firm Marlin Equity Partners, the Mail reported.
Safra's $22.8 billion net worth makes him the world's richest banker, according to Forbes.
UPDATE: April 23, 2020: Travelex has put itself up for sale, the company announced Wednesday. The move comes about a month after its parent company Finablr warned that it was preparing for potential insolvency — and nearly four months after a ransomware attack left banks unable to get cash in foreign currencies through the company.
“As part of its continuing assessment of strategic options to maximize value for its stakeholders, the Board of Travelex Holdings Limited has decided to seek offers for the Travelex group, and has communicated this intention to Finablr plc,” the company said in a statement, according to Reuters. “The company will continue to update stakeholders on the sale process and parallel discussions with creditors as appropriate."
Fallout from the hack could put a $30.8 million dent in the Travelex's first-quarter underlying core earnings, Reuters reported.
UPDATE: April 13, 2020: Travelex paid the hackers who caused a January disruption the equivalent of $2.3 million in the form of 285 bitcoin, The Wall Street Journal reported Thursday, citing a person familiar with the transaction.
The company said it had begun reinstating some of its operations in January and revived its consumer business in the latter half of February. But Travelex's parent company, Finablr, said last month that it was preparing for a potential collapse as investors questioned its financial arrangements and operational ability during the coronavirus crisis.
A U.K.-based investigation into the breach is continuing, a Travelex spokesman said.
- Customers of banks including HSBC, Barclays, Lloyds and Westpac have been unable to get cash in foreign currencies more than a week after a Dec. 31 ransomware attack caused a disruption at currency exchange company Travelex, The Wall Street Journal reported Thursday.
- Travelex shut down its computer systems to stop the software virus known as Sodinokibi, or REvil, from further spreading across its network, the company said in a statement. The virus acts by locking up a network’s data in encrypted code. Travelex’s consumer-facing websites and app have been offline since the attack.
- In addition to handling banks’ online currency exchange services, Travelex operates more than 1,200 kiosks in airports and other tourist locations, and issues prepaid debit cards loaded with foreign currencies. Agents manning the locations have been tallying customer transactions using calculators and writing receipts by hand, the Journal reported Tuesday. Travelex has told its debit-card customers to access account information by phone or through alternate websites.
Hackers told the BBC on Wednesday they have downloaded 5 gigabytes of sensitive customer data since infiltrating Travelex’s network six months ago. They are demanding $6 million to return the data, which they’ve threatened to sell if Travelex doesn’t respond by Jan. 14. Hackers told Lawrence Abrams, a New York-based security researcher, the data includes dates of birth, Social Security numbers and credit-card numbers, and that they deleted all data backup, according to The Wall Street Journal.
Travelex said in its statement it has contained the threat and there is "no evidence to date that any data has been exfiltrated," nor that any "structured personal customer data has been encrypted." But it added it doesn’t have a "complete picture" of what happened to its data.
The ransom may pale in comparison to any penalties London-based Travelex may receive if regulators determine the company didn’t do enough to protect customer data. Under European law, companies can be fined up to 20 million euros ($22 million) or 4% of the previous year’s worldwide annual revenue, whichever is higher. Travelex reported revenue of about $952 million in 2018, according to The New York Times.
London’s Metropolitan Police are leading a criminal investigation into the attack. Travelex has also hired cybersecurity experts to conduct forensic analysis.
Travelex’s recovery process won’t be as simple as just booting someone out of a system, David Grout, a regional chief technology officer for the security company FireEye, told the Times. It could take weeks for Travelex to determine how the hackers accessed the network. "Companies like them will need to rebuild some part of the architecture to understand the nature of the attack," Grout said.
Travelex said it did not anticipate any "material financial impact" for its owner, Finablr Group. But Finablr shares have fallen more than 15% since Travelex confirmed the attack.
The affected banks have not been reluctant to place blame on their third-party provider.
"Unfortunately we are unable to process foreign-currency orders due to an issue with our service provider, Travelex," Barclays said in an emailed statement. "We are sorry for the inconvenience and will be restoring the service as soon as we are able to do so."
The Royal Bank of Scotland said customers who had placed money orders in branches would be refunded if their orders were not fulfilled.
Third-party disruptions can severely damage business, as well as customers’ confidence in a bank. BB&T sued computer hardware vendor Hitachi Vantara in November, claiming the company was responsible for a "catastrophic" outage that kept millions of customers from accessing the bank’s online, mobile, ATM and wire transfer services for 15 hours over several days in February 2018. The outage cost the bank "about $15 million in lower deposit service charges and about $5 million in higher operating expenses," CFO Daryl Bible told analysts in April 2018.
Digital bank Chime also experienced an outage over two days in October because of a glitch at payment processor Galileo, which powers the platform. Colin Walsh, the CEO of competitor Varo, has said his fintech had one of its best weeks at Chime’s expense.
And Capital One unveiled a breach in July in which a former employee of cloud provider Amazon Web Services is charged with exposing 106 million customers’ sensitive data.
Travelex declined to say how many customers had been affected.