Travelex staff go back to basics as ransomware cripples systems

By Noor Zainab Hussain and Kirstin Ridley

LONDON (Reuters) – Staff at foreign exchange firm Travelex are using pen and paper to serve thousands of customers after the company said cyber hackers were holding its systems to ransom, leading to a global blackout on its online currency exchange services.

The currency trader, which also provides forex services for customers of HSBC, Barclays , Virgin Money  and the banking arms of British retailers Tesco and Sainsbury, said on Tuesday a software virus identified on Jan. 2 was a ransomware attack.

The spread of the ransomware, which Travelex said it had successfully contained, forced the company to take all its systems offline, causing chaos for New Year holidaymakers and business travellers seeking online currency services.

The company, which has a presence in more than 70 countries, is currently only able to serve customers face-to-face at its 1,200 on-airport and off-airport locations worldwide.

A criminal investigation led by London’s Metropolitan Police is now also underway.

The Financial Conduct Authority, Britain’s markets regulator, said it was also in contact with the firm to ensure affected customers were being treated fairly. The National Cyber Security Centre said it was providing technical support.

Scores of people turned to Twitter to vent their frustration at being left without cash they had ordered for their travels.

Travelex’s parent company Finablr Plc said the hackers used a type of ransomware called Sodinokibi — also commonly referred to as REvil — in an attempt to encrypt customer data.

Travelex said there was no evidence yet that any data had been stolen..

Finablr processes more than 150 million transactions per year — all of which rely on the efficient and uninterrupted operation of computer and communication systems. According to its listing prospectus, published last year, the company has computer-crime insurance to cover cyber risks.

But the incident sent the company’s shares slumping almost 20% to a record low on Wednesday, a drop exacerbated by two major investors selling shares worth about $72 million in the payments firm.

A Virgin Money spokesman said customers were unable to place orders via the Virgin Money Travel Money website or any Travelex website or the contact centre but that customers could process orders at a Travelex Bureau directly.

Sainsbury’s Chief Executive Mike Coupe described the incident as “disruptive” but said customers could still buy currency over-the-counter, while a spokesman for Tesco said its 360 in-store Travel Money outlets were operating as normal.

A spokeswoman for HSBC said its UK bank branches held some euro and dollar stock for immediate purchase but it was unable to take travel money orders. Barclays apologised to its affected customers and said it would restore service “as soon as it was able to do so”.

Travelex, which had computer specialists and external cybersecurity experts work on isolating the virus, is gradually restoring a number of internal systems and is working to resume normal operations as quickly as possible.

Global companies are increasingly facing ransom-demanding hackers who cripple businesses’ technology systems and only stop after receiving substantial payments.

These hackers use malicious programmes such as ransomware to take down systems controlling everything from supply chains to payments to manufacturing.

Neither Finablr nor Travelex provided any detail on the costs of handling the incident so far but Finablr said it did not currently expect to suffer any material financial impact from the incident.

Another European company aluminium maker Norsk Hydro <NHY.OL> faced costs of between 300 million and 350 million Norwegian crowns ($39.52 million) in its first quarter last year following a similar cyber attack in March.

“The ongoing attack against Travelex is arguably the worst case scenario for how crippling ransomware can be,” Stuart Reed, vice president for cybersecurity at British web services firm Nominet said.

“If there was ever any doubt that a cyber attack could have a significant effect on financial markets, this proves otherwise.”

Hackers have grown more sophisticated during the past year, cybersecurity experts say, shifting from individuals to larger companies that can afford bigger ransoms.

In August, hundreds of dental offices around the United States found they could no longer access their patient records because of a Sodinokibi attack, according to Malwarebytes, which sells cybersecurity software.

Finablr’s other six brands – UAE Exchange, Xpress Money, Unimoni, Remit2India, Ditto and Swych — are not affected and are operating normally, it said.

($1 = 8.8580 Norwegian crowns)

(Additional reporting by Carolyn Cohn and Lawrence White; writing by Sinead Cruise, Editing by Shailesh Kuber/Louise Heavens/Jane Merriman)