Travelex customers left in cashless limbo, ICO not formally alerted to data theft claims

The ransomware attack has infuriated stranded customers and the ICO has still not seen an official data breach report.
Written by Charlie Osborne, Contributing Writer

Travelex's situation is becoming worse by the day.

Since a ransomware attack on New Year's Eve, the currency provider's online services have remained offline, third-party companies that leverage the Travelex system have been rendered useless, the cybercriminals responsible have demanded a ransom and issued a deadline, customer fury has spiked, and now, the UK's Information Commissioner's Office (ICO) is waiting to become involved. 

The currency exchange originally said a "software virus" compromised its systems, but was "contained" while staff "worked to restore systems and resume normal operations as quickly as possible."

To the confusion of customers attempting to access third-party currency services including those offered by Tesco Bank, HSBC, Sainsbury's Bank, Lloyds, and Virgin Money, a "planned maintenance" message was in place for days, while at the same time, Travelex was responding to queries across social media with talk of the "software virus."


The UK Metropolitan Police says it was contacted on January 2 "with regards to a reported ransomware attack involving a foreign currency exchange" and an investigation is now underway. 

Sodinokibi is behind the attack. Travelex has confirmed that the group, also known as REvil, has managed to encrypt at least some customer data. 

"To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted," the company said. "Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated."

If the situation was truly contained, it seems strange that the ransomware operators at the heart of the security incident would feel confident enough to demand a ransom payment, reportedly pegged at $6 million in return for decryption, restoration of IT systems, and the preservation of customer data -- of which the hackers claim to possess dates of birth, credit card information and national insurance (NI) numbers. 

As reported by the BBC, the threat actors claim to have accessed Travelex systems six months ago, leading to the exfiltration of 5GB in customer information. 

Last year, it was discovered that Sodinokibi was making use of Windows zero-day vulnerabilities, unusual methods to maintain persistence on infected systems, and skeleton keys that permit operators to decrypt files no matter which keys are in use -- which could mean bad news for Travelex, should the variant in play be usable by these master keys to exfiltrate encrypted customer data. 

The use of such keys has led to further speculation that developers may be offering the malware as ransomware-as-a-service (RaaS).

Only a few days ago, a warning was sent out to businesses using unpatched Pulse Secure VPN servers, as it appears Sodinokibi ransomware operators are actively targeting these systems. 

Travelex has apologized to customers, who must visit in-branch to order or collect their currency until the situation has been contained. However, the ongoing fracas has led to client frustration. 

A number of customers have complained of being "fobbed off" by the currency exchange, as noted by The Independent, with ordered currency stuck in digital limbo and some users, currently abroad, have been left unable to access funds placed on Travelex ATM cards before the cyberattack locked the firm's systems. 

One customer complained that there has been "no help, no customer service."

Travelex has not issued any form of timeline for the restoration of services.

Under the EU's General Data Protection Regulation (GDPR) and UK data protection laws, companies are now obligated to inform the ICO of data breaches. However, an ICO spokesperson has said that Travelex is yet to file any such report. 

"Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people's rights and freedoms," the spokesperson added. "If an organization decides that a breach doesn't need to be reported, they should keep their own record of it and be able to explain why it wasn't reported if necessary."

If this incident is deemed of a serious enough nature and one in which Travelex failed to adequately protect computer systems and the customer data it holds, the ICO can issue a fine of up to four percent of annual global turnover. The decision not to inform the ICO as soon as the potential breach was noticed may also be a factor in any future fines. 

10 worst hacks and data breaches of 2019 (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards