Sodinokibi, the alleged perpetrators of the cyberattack, claimed responsibility for the breach. The cybercriminals demanded $6 million in ransom with a promise that they would not release the sensitive information of Travelex customers, including birthdates and credit card numbers.
A Travelex spokesman told the WSJ that the firm got advice from security experts on how to proceed, and have kept its investors and regulators up to date on the recovery. He said British law enforcement is still investigating the crime, but declined to comment further.
The attack caused Travelex to dismantle websites in 30 countries to contain viruses and protect data.
The hacking group, also known as REvil, told the BBC that they gained access to the company’s computer network last year and downloaded 5GB of sensitive customer data. They claimed to have birthdates, credit card information and national insurance numbers and demanded the $6 million payment.
“In the case of payment, we will delete and will not use that [data]base and restore them to the entire network,” the hackers said. “The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base.”
Travelex, whose machines are located in airports worldwide, said they began to reboot some of its operations in January and February.
The Journal said they participated in an online chat with a group of hackers who claim to have hacked Travelex in January and said they had received the payment. At that time, the group said it no longer held the data, but failed to provide specifics on what it had stolen.
“It is impossible to know who was on the other end, though the chat room displayed information about the group linking them to the Sodinokibi malware,” the Journal wrote.
Alan Woodward, a cybersecurity professor at the University of Surrey, told the Journal that if someone pays a ransom, they get put on the list of payers. “You are one of those that’s most likely to pay up,” he said. “That makes you a target for everybody else.”