News

Barclays, Lloyds, RBS and HSBC all hit by Travelex cyber attack

The banks are among a host of lenders reporting hat their online foreign currency systems are down following the Travelex attack.
The banks are among a host of lenders reporting hat their online foreign currency systems are down following the Travelex attack. The banks are among a host of lenders reporting hat their online foreign currency systems are down following the Travelex attack.

The UK’s biggest high street banks have been hit by a cyber attack on Travelex, with Royal Bank of Scotland, HSBC and Barclays among those left with no online travel money services.

More than a dozen of the major banking players, also including Lloyds Banking Group and Virgin Money, are reporting that their online foreign currency systems are down following the New Year’s Eve ransomware attack on Travelex.

Many are offering customers services in branches, but orders cannot be processed online.

HSBC website
HSBC website Customers of major lenders are met with messages telling them online travel money services are not available (HSBC)

Travelex was forced to take all its global websites offline and is reportedly being held to ransom by the infamous ransomware gang called Sodinokibi, also known as REvil.

It is understood the criminals are demanding cash – speculated to be some six million US dollars (£4.6 million) – and is reportedly threatening to release 5GB of customers’ personal data – including social security numbers, dates of birth and payment card information – into the public domain unless Travelex pays up.

Travelex is the world’s largest retail currency dealer and provides travel money services for a host of partners, also including the likes of Sainsbury’s Bank and Tesco Bank.

Travelex owner Finablr, which is based in the United Arab Emirates, said late on Tuesday it is not expecting a “material financial impact” from the online attack.

Travelex has opened an investigation and confirmed in the update that while there has been some data encryption, and the extent is not yet known, there is no evidence that structured personal customer data has been breached.

But some of its business partners have spoken to the PA news agency of their frustration at the lack of information from the company.

Travelex had also not yet formally reported a data breach to the Information Commissioner’s Office (ICO).

Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach, unless it does not pose a risk to people’s rights and freedoms.

A company which fails to comply can face a fine of up to 4% of its global turnover, under General Data Protection Regulations.

Travelex has said it is working towards total recovery after successfully containing affected areas and has managed to restore a number of internal systems.

As part of a detailed forensic analysis, the firm added there is also no evidence that data has been transferred from the Travelex system, known as exfiltration.

In a statement on Tuesday night, Travelex chief executive Tony D’Souza apologised for the inconvenience to partners and customers.

He insisted the group was “working tirelessly to bring our systems back online”.

An investigation led by the Metropolitan Police and supported by the National Crime Agency is ongoing.

London-headquartered Travelex has a presence in more than 70 countries and more than 1,200 branches and 1,000 ATMs worldwide.

It processes more than 5,000 currency transactions every hour.