UK Police Investigate Travelex Ransomware Attack, Ransom Demand

The alleged perpetrators of a cyberattack on Travelex, the “world’s largest retail currency dealer,” was Sodinokibi, a cyber gang demanding ransom, according to reports.

Sodinokibi contacted the BBC on Tuesday (Jan. 7), claiming responsibility for the attack that caused Travelex to shut down last week. The gang demanded $6 million in ransom in exchange for not releasing sensitive information regarding Travelex customers, including birth dates and credit card numbers.

Discovered on New Year’s Eve, the cyberattack is now the focus of a criminal investigation, led by the Metropolitan Police. The attack resulted in Travelex having to take its services offline, and briefly fulfilling service orders manually. The U.K.’s National Cyber Security Centre (NCSC) and regulators with the Financial Conduct Authority were already looking into the cyberattack, with the NCSC saying it would work closely with law enforcement.

Cybersecurity company McAfee had previously linked Sodinokibi attacks to Iran.

This attack had a ripple effect that impacted banks like Sainsbury’s and Virgin Money, which use Travelex services. Those banks “have been unable to process customers’ requests,” reports said.

Sainsbury’s customers “were still able to preorder and purchase currencies in-store at one of the supermarket’s bureaus,” but “the retailer was unable to offer its usual online service.” Virgin Money customers were unable to place orders through Virgin Money’s Travel Money website, but the bank noted that customers could do so directly at Travelex bureaus. However, “the bank said January was a quiet time of the year for currency orders” overall.

The Travelex website shared that its online services were temporarily unavailable “due to planned maintenance,” but would be working again soon.

On Tuesday, Travelex confirmed that Sodinokibi was behind the cyberattack, and said it was aiming to contain the spread. Travelex added that it did not yet have a complete picture of its data, but that there was “no evidence” that any data had been exfiltrated, according to the company.

Tony D’Souza, the company’s CEO, said the company had taken everything down as a precautionary measure, and that it was sorry for any inconvenience.

Travelex works in more than 70 countries, with more than 1,200 branches worldwide.

Shares in Finablr, the parent company of Travelex, were down on Tuesday by 6 percent.