Getty Images

High-street banks face disruption three weeks after Travelex hack

Foreign exchange services still disrupted, three weeks after Travelex received a $6m ransom demand from cyber gangsters

High-street banks are still struggling to offer foreign exchange services, three weeks after Travelex shut down its computer systems after cyber gangsters installed sophisticated malware that encrypted the company’s data.

Barclays Bank, HSBC, First Direct, Virgin, Clydesdale and Tesco Bank, which rely on Travelex for foreign exchange services, have confirmed that they are still unable to offer online exchange services or process orders for foreign currency.

The news comes after Travelex, which employs 9,000 people in 70 countries, said on Friday that it had begun to restore some IT services to some of its outlets in the UK, as part of a phased programme to restore services worldwide.

Travelex websites in 21 countries were out of action yesterday, displaying messages alerting customers to a “virus” attack that had disrupted its foreign exchange services. Only its websites in South Africa and Brazil have not been affected.

An assistant in a Travelex outlet confirmed that the bureau was unable to take card payments for foreign currency, had only limited stocks of some currencies, and was unable to request further supplies of currencies that were running short from Travelex.

Travelex CEO Tony D’Souza said in a video statement on Friday that the company was beginning to restore some IT services at its UK outlets.

“We have started with those capabilities of the business which impact our customers most, forex services and our VAT refunds, which we are bringing back in a phased way,” he said.

Staff in retail outlets have been forced to record transactions with pen and paper since cyber attackers used the Sodinokibi ransomware to encrypt sensitive data – including the names of clients and bank account and transaction details – on the company’s computer systems.

Travelex said it is introducing systems that will enable staff to record transactions “electronically”, starting with its outlets in the UK, but declined to say whether this meant anything more sophisticated than giving staff access to a spreadsheet or word document.

The company faced demands for a $6m ransom to decrypt its computers after hackers infiltrated its computer network in the early hours of New Year’s Day. Travelex has not disclosed whether it has paid the ransom.

Travelex left critical security weaknesses in the Pulse Secure virtual private network (VPN) servers it uses to provide staff with remote internet access to its central computers unpatched – leaving the company’s networks vulnerable to attacks by criminals for eight months.

D’Souza said Travelex had been working with a world-renowned cyber expert to contain the ransomware attack and was shifting its attention to remediation and recovery.

“Our focus is on bringing systems up and running in such a way that we are not just returning to business as usual, but actually creating a stronger business,” he said. “We are enhancing and upgrading some systems along the way.”

The company said it is in an “advanced” state of restoring its VAT refund service. The service allows overseas visitors to reclaim VAT on their spending in the UK from Travelex outlets at Heathrow Airport. Staff have been recording transactions using pen and paper, but will be able to record transactions “electronically” once the service is up and running.

In Qatar, Travelex posted a notice on its website saying that the company had cleared its systems which were back online, and operating in stores as normal, on 7 January 2020. It said, “Travelex Qatar customer data is not being sent to any central database in the UK”.

Travelex has hired Brunswick, which describes itself as strategic advisory firm, to manage its communications about the crisis. Brunswick offers specialist services designed to minimise damage to organisations’ reputation following successful cyber attacks.

The company’s website says: “There may be an external perception of responsibility, even culpability by the company. How companies prepare for, respond to and lead after an attack is more important than the attack itself.”

Travelex has been criticised for being slow to explain to the public why its services were offline, with websites displaying notices saying they were unavailable because of “planned maintenance” for days after the company was hit.

The unanswered questions

Has Travelex paid the ransom to recover its data?

Cyber criminals behind the Sodinokibi attack told the BBC they were demanding $6m to provide decryption tools to unlock Travelex’s data. Travelex has refused to say whether it has paid up.

Did Travelex have backup of its customers’ data?

Travelex has refused to say whether it kept backups of the data it kept stored on its desktop computers at outlets and in offices.

Is Travelex customers’ data at risk?

Travelex says that, to date, there is no evidence that any data has left the organisation. However, the attackers claim to have 5GB of sensitive customer data, and on 7 January they threatened to sell credit card data, dates of birth and credit card data from Travelex on the dark web.

Britain’s high-street banks that rely on Travelex for online foreign currency services said this week that they had been unable to resume foreign exchange services disrupted by the cyber attack.

HSBC and First Direct said they were unable to take orders for foreign exchange online, through telephone banking or in branches, but had told customers they would restore travel money services once it is safe to do so.

Barclays Bank has apologised to customers and said it was working with Travelex to get its foreign exchange services up and running as quickly as possible.

Clydesdale Bank and Halifax displayed notices on their websites saying their travel money services were not available.

A spokesperson for Virgin Bank said: “Our focus is on bringing back a safe and secure service for customers as quickly as possible and we remain in regular dialogue with Travelex on achieving this.”

A Tesco Bank spokesman said: “We are working very closely with Travelex as they continue with their recovery process. We will update our own customers once we are able to restart ordering for travel money.”

Tesco was able to supply currency through 360 bureaus in Tesco supermarkets, operated by Travelex, the spokesman said.

UK Finance, a trade body that represents banks and financial services companies, said there may be delays before Travelex gets its services up and running again, and its partner banks restore their services.

“Individual firms have their own processes in place to ensure there is no risk to customers,” the spokesperson said. “This could lead to a delay between Travelex restoring its systems and partner firms being able to begin offering related services again.”

Travelex’s Abu Dhabi-based parent company, financial services firm Finablr, said on 7 January that it expected the cyber attack on Travelex to have no material financial impact on the group.

Finablr said it continues to monitor the situation closely and will update the market as required.

D’Souza said last week that Travelex’s bureau outlets had been able to continue offering services manually. “We are a largely transactional business,” he said. “It is a relatively small proportion of our end customers who use the online service – most of them go into a bureau.”

Read more on Data breach incident management and recovery

Data Center
Data Management