Getty Images

Suspected ransomware attack causes worldwide disruption for Travelex

Travelex switches off computer systems and resorts to cash-only currency sales after malware attack. Insiders claim the currency exchange chain has been hit by ransomware which has left critical files containing customer data encrypted

The money exchange Travelex is facing worldwide disruption after its IT systems were attacked by malware in the early morning of New Year’s Eve.

The attack, attributed by company insiders to ransomware, disrupted communications across the company, leaving outlets in the UK and other countries unable to take payments for foreign currency using credit or debit cards.

The incident has caused chaos for customers, many of whom have complained on social media that they are unable to top up their Travelex currency cards, confirm transactions have taken place or check their balances.

One Travelex customer took to Twitter to report she had been left stranded without access to cash in Greece: “I’m #stranded in Athens with 3euro left on my Travelex card because both your website and app reloads don’t work. This seems to be an issue you have been aware of for at least 6 hours. Seems real convenient for a card that promised me seamless transactions.”

On 2 January, Travelex websites in Europe, including the UK, Belgian and Holland, Qatar and the United Arab Emirates in the Middle East, and China either did not respond or showed error messages. The US and Canada were unaffected.

UK Travelex website returns error message

The outage has also affected customers of Tesco Bank, which relies on Travelex to provide its foreign exchange services. The bank yesterday used Twitter to redirect its customers to Travelex for assistance.

Travelex said in a statement that it discovered a software virus had compromised its services on New Year’s Eve and as a precautionary measure to protect data and prevent the spread of the virus it had taken all of its systems offline.

Victim of ransomware

One person familiar with the incident said the company’s IT systems had been infected by malware known as ransomware, which is used by cyber criminals to maliciously encrypt data on computer systems unless companies agree to pay a ransom to decrypt it.

The person told Computer Weekly that computers containing confidential information, including names of clients and bank account and transaction details, had been infected by the virus.

“My concern is that confidential customer details are contained in some of the millions of document files involved,” the person said.

A spokesman said Travelex was working with security experts and running further investigations to determine the root cause of the virus, but could not go into further detail until it had completed its own investigations.

“So far, those investigations, which remain ongoing, have found no evidence of any data breach, and we continue to do everything we can to protect our customers and maintain data privacy and protection as we work to resolve the issue,” the spokesman said. 

Staff told not to talk about the problem

Travelex managers have instructed employees not to open any documents with the title “readme” or other suspicious files in the wake of the attack.

Staff have also been told not to discuss the situation, but, if asked, to tell customers they have been instructed to say there is a system problem, Computer Weekly has learned.

“Staff are being told very little and are extremely stressed. It could be weeks before the system is back online. As we have no access to emails, information from managers is ad hoc and limited”
Anonymous source

The company has provided staff at Travelex outlets with cash receipt books to manually fill in until its computer systems are up and running.

“Staff are being told very little and are extremely stressed. It could be weeks before the system is back online. As we have no access to emails, information from managers is ad hoc and limited,” one person familiar with the situation told Computer Weekly.

Travelex outlets in the UK were telling customers yesterday that they could only provide foreign currency for cash payments, and directed people who wanted to pay by card to cash machines.

One person said staff had been locked out of their computers, and were unable to complete card transactions, or check customers’ currency orders, both of which required computer and internet access.

Communications between Travelex outlets and other parts of the business, which are normally conducted through email, had been disrupted and employees were receiving limited information by phone.

Countermeasures in place

Travelex said it had deployed teams of IT specialists and external computer security experts, who have been working continuously since New Year’s Eve to isolate the virus and restore affected systems.

Tony D’Souza, chief executive of Travelex, said: “We regret having to suspend some of our services to contain the virus and protect data. We apologise to all our customers for any inconvenience caused as a result. We are doing all we can to restore our full services as soon as possible.”

The UK’s National Cyber Security Centre (NCSC), part of GCHQ, which advises businesses on cyber security, said it was working with Travelex on the attack.

A spokesman said: “We are aware of this incident and working closely with the affected organisation to understand its impact.”

Jake Davis, a computer security expert, said Travelex’s description of the incident as a virus was consistent with ransomware.

“The messy and inconsistent way in which their websites and services abruptly shut down also indicates a sudden urgency to pull certain pieces of the network offline; that, or they were compromised due to the ransomware,” he said.

Davis said companies often pay ransoms to have their data unlocked as a way to limit damage to their organisations.

Other options are to restore files from a backup, which can be complex if individual employee workstations have been compromised.

It is also possible to decrypt some types of ransomware, if they are well known and have already been analysed by security researchers.

The NCSC website offers advice to companies on protecting against ransomware

What customers said on Twitter

@TravelexUK What is going on with your website and app being down? I need to load my currency card with dollars but the site and app seem to have been down all day.

@TravelexUK last time I will be using your services. What is the point of having a travel money card that won’t let you top up or check balance and has no decent messaging on website or in the app to alert you to ongoing service problems? Far from impressed.

In Paris and affected by the #travelex #CyberAttack – online systems taken down on the 30/12 with iphone #money app connection errors. No assistance for 2 days and just got a reply. Good time to reassess our #security posture.

@Travelex_AUS any news on your app and website please? Is there any other way to check my balance and reload my card? Thanks.

@Travelex_AUS what seems to be up with your website and app to top up funds?

Next Steps

Engineering firm thwarts ransomware attack with Nasuni

Read more on Hackers and cybercrime prevention