Site navigation

Major Currency Exchange Travelex Confirms Ransomware Attack

Dominique Adams



Travelex staff have been reduced to using pen and paper to record transactions following a ransomware attack. 

Foreign exchange company Travelex is being held to ransom by hackers who have forced the firm to take all of their computer systems offline.

The attack, which was launched on New Year’s Eve, has compelled the company to take down its websites across 30 countries in order to contain “the virus and protect data”. The hackers claiming responsibility for the attack, a ransomware group known as Sodinokibi or REvil, told the BBC that it is demanding Travelex handover £4.6 million.

They claim to have had access to the company’s network over the past six months and say they have downloaded 5GB of sensitive customer data, which includes dates of birth, credit card information and national insurance numbers.

“In the case of payment, we will delete and will not use that [data]base and restore the the entire network,” they said. “The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base.”

The company said the virus has been contained and there was no evidence that structured personal data had been encrypted or stolen. The company is currently working with experts to complete a recovery of its systems.

Travelex chief executive Tony D’Souza said: “We regret having to suspend some of our services in order to contain the virus and protect data. We apologise to all our customers for any inconvenience caused as a result. We are doing all we can to restore our full services as soon as possible.”

The company’s website currently reads: “Our online, foreign currency purchasing service is temporarily unavailable due to planned maintenance. The system will be back online shortly.”


According to the Information Commissioner’s Office (ICO), Travelex has not notified the watchdog of the breach.

A spokeswoman for the ICO said:”Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people’s rights and freedoms.

“If an organisation decides that a breach doesn’t need to be reported, they should keep their own record of it and be able to explain why it wasn’t reported if necessary.”

Companies that fail to comply with the General Data Protection Regulation run the risk of facing a maximum fine of 4% of their global turnover.

In a statement, the Metropolitan Police, which is leading the investigation into the attack, said: “On Thursday, 2 January, the Met’s Cyber Crime Team were contacted with regards to a reported ransomware attack involving a foreign currency exchange. Inquiries into the circumstances are ongoing.”

Dominique Profile Picture

Dominique Adams

Staff Writer, DIGIT

Latest News

%d bloggers like this: