Hackers cripple airport currency exchanges, seek $6 million ransom

Amie Tsang, The New York Times

Posted at Jan 10 2020 08:47 AM | Updated as of Jan 10 2020 08:50 AM

A passenger walks past a Travelex currency exchange at Manchester Airport in Manchester, Britain Jan. 8, 2020. Phil Noble, Reuters

The numbers that usually glow with exchange rates on Travelex boards in airports worldwide have gone dark, after the London-based currency exchange company was forced to go offline after it discovered a ransomware attack on Dec. 31.

The disruption has also affected banks like Barclays, Royal Bank of Scotland and HSBC, which have been unable to fulfill foreign currency orders for their customers.

Travelex said it had contained the threat and had no evidence that customer data had been removed. It has been offering only over-the-counter services since New Year’s Eve, when it discovered that it had been compromised by ransomware known as Sodinokibi, or REvil.

The hackers told the BBC on Wednesday that they had downloaded 5 gigabytes of sensitive customer data since gaining access to Travelex six months ago and intended to sell it if there was no response by Jan. 14. They have demanded $6 million for the data’s return.

Travelex, which has more than 1,200 stores, kiosks and counters in at least 70 countries, said in an online statement that it did not have a “complete picture” of what had happened to its data.

The company declined to provide details on how many customers had been affected, what data was at risk or when it expected the problem to be resolved.

“We take very seriously our responsibility to protect the privacy and security of our partner and customers’ data,” Tony D’Souza, the Travelex chief executive, said in the statement.

Travelex is still changing money, but must do the calculations by hand, based on rates issued each morning from its headquarters. At a central London branch of Travelex on Thursday, its ATMs permitted withdrawals only in pounds and the screens that usually show the exchange rates offered for each currency were blank.

The episode raised questions about how many more parts of the financial system could be at risk, said Bob Sullivan, a cybersecurity expert.

“We would not normally think of a company like Travelex as infrastructure, but clearly it is,” Sullivan said. “A big payment company that has tentacles into hundreds of institutions: It’s a reminder of how fragile these systems are.”


2020 The New York Times Company