By Anna Isaac and Caitlin Ostroff
A New Year's Eve ransomware attack on foreign-currency exchange
company Travelex has disrupted cash deliveries from its global
network of vaults to major international banks.
Banks in the U.K., including units owned by Barclays PLC, Lloyds
Banking Group PLC, as well as Westpac Banking Corp. in Australia
said Thursday they were unable to take orders from customers in
branches that rely on Travelex to supply cash in foreign
currencies. The banks' online retail foreign-currency exchange
services, which are outsourced to Travelex, were also shut off.
Travelex's internal networks and consumer-facing websites and
app have been offline since the attack, after the company shut down
its computer systems to stop a ransomware virus that infiltrated
A Travelex spokeswoman confirmed that the outage has limited the
service its wholesale operations provided to other
Representatives for Barclays, Lloyds and Westpac all confirmed
the disruptions were because of the Travelex outage.
Travelex, a unit of U.K.-listed payments conglomerate Finablr
PLC, is best known for its global network of retail
foreign-exchange kiosks that target customers passing through
international airports. Those operations have been hobbled by the
attacks, with agents resorting to manual operations, writing
handwritten receipts. Travelex has told customers of its prepaid
currency debit cards, popular with overseas travelers, to access
account information by phone or through alternate websites.
A lesser known, but important, part of Travelex's operations is
its business helping other financial institutions manage their
supply of foreign bank notes.
Underpinning this business is a network of high-security vaults
in 14 countries including the U.S., with a vault in Louisville,
Ky., the U.K., Australia, Japan and China. It uses these vaults to
supply cash notes to wholesale clients including banks, central
banks, travel agencies, hotels and casinos, according to a company
bond prospectus from 2017 and a separate business brochure that
appeared to be posted on a company website in September 2019.
Travelex's central bank clients have included the Central Bank
of Nigeria, where it was responsible for the distribution of U.S.
dollars in Lagos, according to the bond prospectus. A spokesman for
the Central Bank of Nigeria declined to comment.
The business brochure describes Travelex's work with Malaysia's
central bank, where it has provided foreign currencies and
consulted with it to stop traffickers illegally transporting bank
notes into the country. Bank Negara Malaysia representatives didn't
immediately respond to requests to comment.
In a statement this week, Travelex said that the software virus
is a ransomware known as Sodinokibi, also commonly referred to as
REvil. It said the attack froze access to its data by locking it up
in encrypted form.
Ransomware is a technique used to extort money by infecting
systems and then shutting off access to data and processing
capabilities. Money is demanded by the attackers in exchange for
regaining access or to prevent data breaches. A string of such
attacks have hampered operations at companies and governments in
the past year.
Successful ransomware attacks, in which victims pay money to
release their data, appears to have encouraged more attacks and
demands for bigger ransoms. In June 2019, the city of Riviera Beach
in South Florida paid nearly $600,000 to hackers who paralyzed the
city's computer systems.
Lawrence Abrams, a New York-based security researcher, said he
had contact with the group behind Sodinokibi on Tuesday, which
claims to have hacked Travelex.
The group implied to Mr. Abrams that it is in negotiations with
Travelex for it to pay a $3 million ransom and that the company had
until early next week before they released the data publicly. The
group told Mr. Abrams they have stolen 5 gigabytes of data,
including dates of birth, social security numbers and credit card
numbers, and that it deleted all data backup.
A Travelex statement issued Tuesday said that there was "no
evidence to date that any data has been exfiltrated" or taken off
the network. "There is no evidence that structured personal
customer data has been encrypted," the company said. Structured
data usually refers to information that can be easily analyzed,
such as data in a spreadsheet or database.
Mr. Abrams said the hacking group might be bluffing to pressure
the company into paying the ransom.
"Ransomware is very public. They want to leverage this fear
factor," he said. He noted that the group he communicated with also
declined to provide Mr. Abrams with a screenshot proving their
possession of customer data.
The Travelex spokeswoman declined to comment about whether it is
interacting with the attackers or what ransom demand has been
"There is an ongoing investigation. We have taken advice from a
number of experts," she said. London's Metropolitan Police are
spearheading a criminal investigation. The company has also hired
cybersecurity experts to conduct forensic analysis of the
Write to Anna Isaac at firstname.lastname@example.org and Caitlin Ostroff at
(END) Dow Jones Newswires
January 09, 2020 13:22 ET (18:22 GMT)
Copyright (c) 2020 Dow Jones & Company, Inc.
Westpac Banking (ASX:WBCCD)
Historical Stock Chart
From Oct 2020 to Nov 2020
Westpac Banking (ASX:WBCCD)
Historical Stock Chart
From Nov 2019 to Nov 2020