International money transfer service Travelex extorted by hackers

Foreign exchange company Travelex was hit by cyber attackers wielding the Sodinokibi (aka REvil) ransomware demanding $6 million (£4.6 million). More than a week later, the company’s websites and online services are still offline despite the company’s remediation efforts.

The ransomware gang known as Sodinokibi — also as REvil — says it has downloaded more than 5GB of sensitive customer data, including dates of birth, credit card information and national insurance numbers, which it will publish if payment is not made within a week. The hackers originally demanded $3 million, but doubled the sum after two days of non-payment.

The attackers claim to have had access to the company’s computer network for the last six months, which allowed them to download customer data.

Following the attack — which took place on New Year’s Eve when many employees were on vacation — the company displayed “planned maintenance” messages on its websites across Europe, Asia and the US in order to “contain the virus and protect data.” That message has since been changed to an official press release in which Travelex says that while “it does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated.”

“Having completed the containment stage of its remediation process, detailed forensic analysis is fully underway and the company is now also working towards recovery of all systems. To date Travelex has been able to restore a number of internal systems, which are operating normally.”

The UK Information Commissioner’s Office (ICO) has yet to receive a data breach report from the company and neither have the customers who ordered currency from Travelex before the attack and paid for it, but are unable to collect it.