The hacker broke into computers at Sea France, Wightlink, Holiday Places and other travel operators. Using false credit cards taken out in the names of fictitious Eastern Europeans, the intruder collected the cash, worth up to £5,000 a time, from cashpoints machines in the US.
The incident has raised concerns about the lack of adequate computer security among companies in the travel industry, many of which rely on systems that were developed more than a decade ago, before the creation of the Internet.
Investigators are working on the theory that the hacker gained access to the travel operators' Unix servers by tunnelling into the unsecured X.25 network links used by their software supplier, Anite Travel Systems for remote maintenance.
The hacker either knew or was able to guess the passwords which provided access to the systems used by the companies to process credit card bookings.
Once inside, the intruder ran software which sent credit card refund requests through the travel companies' encryption systems to NatWest's Streamline, now part of the Royal Bank of Scotland credit card processing centre.
"They appear to have got into our machine in advance of the fraud taking place and planted some sort of file into the database which went unseen for some time.
"The guess was that it was somebody who had a quite good knowledge of the software we were using," said Roger Sandford, IT director at Wightlink.
The hacker covered his tracks electronically by using tools downloaded from the Internet to erase records from computer systems logs. Investigators have only been able to recover fragments of deleted evidence.
Investigators believe that former employees of Anite Travel Systems, which maintains the Res2000 travel booking software used by all of the companies that came under attack, may have played a role in the attacks.
Anite has shed a significant number of technically qualified staff following its takeover of rival firm FSS three years ago. FSS originally owned and maintained the Travellog Res2000 system used by the travel operators.
The scam came to light when some of the operators spotted discrepancies and reported the matter to NatWest. "Streamline was already investigating the matter and came back to us very quickly. We didn't know it was fraud at first, we were just a bit concerned," said Jean Aubert, finance director at Sea France.
The hacker drew attention to his activities by applying for unusually high, suspiciously round figures. It might not have been noticed if he had gone for smaller or more irregular sums, said a source close to the investigation. Streamline has been able to block a significant proportion of the attempted transfers, but the three travel companies have been left tens of thousands of pounds out of pocket.
Portsmouth police, which is also investigating, said it was waiting for NatWest to hand over evidence from its internal investigation. NatWest said that the hacker did not penetrate its own systems. Anite Travel declined to comment.