The numbers that often glow with change charges on Travelex boards in airports worldwide have gone darkish, after the London-based foreign money change firm was pressured to go offline after it found a ransomware assault on Dec. 31.
The disruption has additionally affected banks like Barclays, Royal Bank of Scotland and HSBC, which have been unable to satisfy overseas foreign money orders for his or her clients.
Travelex mentioned it had contained the risk and had no proof that buyer information had been eliminated. It has been providing solely over-the-counter providers since New Year’s Eve, when it found that it had been compromised by ransomware often known as Sodinokibi, or REvil.
The hackers advised the BBC on Wednesday that that they had downloaded 5 gigabytes of delicate buyer information since getting access to Travelex six months in the past and meant to promote it if there was no response by Jan. 14. They have demanded $6 million for the info’s return, in keeping with the BBC.
Travelex, which has greater than 1,200 shops, kiosks and counters in not less than 70 international locations, mentioned in an online statement that it did not have a “complete picture” of what had happened to its data.
The company declined to provide details on how many customers had been affected, what data was at risk or when it expected the problem to be resolved. It said the investigation continued, and declined to comment on the hackers.
“We take very seriously our responsibility to protect the privacy and security of our partner and customers’ data, as well as provide an excellent service to our customers, and we sincerely apologize for the inconvenience,” Tony D’Souza, the Travelex chief executive, said in the statement.
Travelex is still changing money, but must do the calculations by hand, based on rates issued each morning from its headquarters. At a central London branch of Travelex on Thursday, its ATMs permitted withdrawals only in pounds and the screens that usually show the exchange rates offered for each currency were blank.
Banks including Barclays, Royal Bank of Scotland and HSBC that use Travelex to offer currency exchange services are waiting for the issue to be fixed, as well.
“Unfortunately we are unable to process foreign-currency orders due to an issue with our service provider, Travelex,” Barclays said in an emailed statement. “We are sorry for the inconvenience and will be restoring the service as soon as we are able to do so.”
The Royal Bank of Scotland said that customers who had placed money orders in branches would be refunded if the order had not been fulfilled.
The episode raised questions about how many more parts of the financial system could be at risk, said Bob Sullivan, a cybersecurity expert.
“We would not normally think of a company like Travelex as infrastructure, but clearly it is,” Mr. Sullivan said. “A big payment company that has tentacles into hundreds of institutions: It’s a reminder of how fragile these systems are.”
London’s Metropolitan Police and the National Crime Agency are conducting criminal investigations. The National Cyber Security Center, part of a government intelligence agency, also said it was working to understand the hack’s impact.
The company has not reported a data breach, according to the Information Commissioner’s Office, a British government agency that enforces data-protection laws.
Travelex could also come under scrutiny from data protection authorities. Under European data privacy law, companies can be fined for being hacked if regulators determine that they did not do enough to protect the information. Firms found to have made the most serious infringements of European law can be fined as much as 20 million euros, or about $22 million, or 4 percent of the previous year’s worldwide annual revenue, whichever is higher. British Airways was fined nearly $230 million last year for privacy lapses.
“This is new because it combines a ransomware attack with the threat of G.D.P.R. fines,” said Mr. Sullivan, referring to the European Union’s general data protection regulation. “This is why these folks think they can get a big payday.”
Travelex had revenue of £729.5 million, or about $952 million, in 2018, according to its annual report.
The Financial Conduct Authority, a regulator, said it was also in contact with Travelex and expected it to “treat affected customers fairly.” The regulator said customers with concerns about currency orders should contact Travelex or the bank where they had placed the order.
Travelex said the software virus was detected on Dec. 31, but it was not reported to the Metropolitan Police until Jan. 2. “Among others, we reported to the N.C.S.C., and then the N.C.A. who in turn passed it to the Metropolitan Police to investigate,” a company press official said.
The shutdown’s duration has prompted complaints from customers unable to get access to their travel money and frustrated by the lack of information from the company. Customer service telephone numbers were shared on social media and the Travelex website.
The firm also attracted criticism from security experts, who said that Travelex had been warned about weaknesses in its system before but had not responded. One security company, Bad Packets, told Computer Weekly that it told Travelex about a vulnerability last April but the firm took six months to fix it and its systems could have been compromised within that time. Travelex declined to comment.
“It’s clear they’re not ready for this,” said Mr. Sullivan, the expert. “Clearly they didn’t have a recovery plan.”
It could take weeks for Travelex to determine how the hackers had embedded themselves into its system, said David Grout, a regional chief technology officer for FireEye, a security firm. It might not be as simple as just booting somebody out of a system.
“Companies like them will need to rebuild some part of the architecture to understand the nature of the attack,” Mr. Grout added.
Travelex said it did not anticipate any “material financial impact” for its owner, Finablr Group, based in Abu Dhabi. But Finablr shares fell more than 15 percent on the London Stock Exchange after Travelex confirmed the attack.