2020-01-08T102213Z_1373740858_RC2MBE9FBK7A_RTRMADP_3_BRITAIN-TRAVELEX-(Read-Only)
A passenger walks past a Travelex currency exchange at Manchester Airport in Manchester, Britain. Image Credit: Reuters

LONDON: Staff at foreign exchange firm Travelex are using pen and paper to serve thousands of customers worldwide after the company confirmed cyber hackers were holding its systems to ransom.

The currency trader, which also provides forex services for Virgin Money and the banking arms of British retailers Tesco and Sainsbury, said on Tuesday a software virus identified on Jan 2 was a ransomware attack.

The incident forced Travelex to take all its systems offline, causing chaos for New Year holidaymakers and business travellers and triggering criminal investigations led by Britain’s National Crime Agency and London’s Metropolitan Police.

Travelex’s parent company Finablr Plc said on Wednesday it did not expect to suffer any material financial impact from the incident, which used a type of ransomware called Sodinokibi in an attempt to encrypt customer data.

Finablr’s shares fell almost 20 per cent to a record low on Wednesday. The slump was exacerbated by two major investors selling shares worth about $72 million in the payments firm.

Travelex said it had contained the spread of the ransomware, also known as REvil, and that there was no evidence yet that any data had been stolen.

A spokesperson for Virgin Money said investigations by Travelex were ongoing, with no confirmed timescales for resolution.

“As this is a global Travelex issue, customers are currently unable to place orders via the Virgin Money Travel Money website (or any Travelex website) or the contact centre. However, customers can process orders at a Travelex Bureau directly,” Virgin Money said.

Spokespeople for Tesco and Sainsbury could not immediately be reached for comment.

Travelex, which had computer specialists and external cybersecurity experts work on isolating the virus, is gradually restoring a number of internal systems and is working to resume normal operations as quickly as possible.

Global companies are increasingly facing ransom-demanding hackers who cripple businesses’ technology systems and only stop after receiving substantial payments.

These hackers use malicious programmes known as ransomware to take down systems controlling everything from supply chains to payments to manufacturing.

The hackers have grown more sophisticated during the past year, cybersecurity experts say, shifting from individuals and mom-and-pop operations to larger companies that can afford bigger ransoms.

In August, hundreds of dental offices around the United States found they could no longer access their patient records because of a Sodinokibi attack, according to Malwarebytes, which sells cybersecurity software.

Finablr’s other six brands — UAE Exchange, Xpress Money, Unimoni, Remit2India, Ditto and Swych, are not affected and are operating normally, it said.