Travelex: Fears for customers' personal information after hackers publish stolen data
Details from hack on different company posted online by Sodinokibi group that held Travelex to ransom
Criminals who hacked into Travelex’s computer system have published stolen data believed to be from a different attack - leaving customers fearing for the safety of their own personal information.
It is thought to be the first time that hackers behind the Sodinokibi ransomware have released stolen files after a victim did not pay up in time.
The news will ramp up pressure on Travelex to secure its computer systems and bring an end to a crisis that has dragged on for two weeks.
The hackers holding the foreign exchange company to ransom began posting 337MB of customer data on Saturday which they claimed was stolen from a similar attack on American IT firm Artech Systems.
A post which appeared on a Russian hacking website on Saturday stated: “This is a small part of what we have.
“If there are no movements, we will sell the remaining, more important and interesting commercial and personal data to third parties, including financial details."
Travelex said on Monday it was beginning to restore its systems after being hit by a cyber attack on New Years Eve that has seen customers unable to access their accounts and forced staff to write out transactions using paper and pen.
The company reiterated its stance that there is no evidence its customers’ data has been compromised and that the “majority” of services were up and running.
But experts warned it may not be immediately clear in the wake of a ransomware attack whether or not data has been compromised.
Brett Callow, a threat analyst at cybersecurity firm Emsisoft, warned customers of any company that has fallen victim to hackers to err on the side of caution.
“Working out what happened - and whether data was taken - in the aftermath of a ransomware incident is far from easy," he said.
“It’s a slow and painstaking process that can take several weeks."
He pointed to past cases in which companies that have been targeted claimed that no data was stolen, only for the data that was stolen to be subsequently published by hackers.
Mr Callow advised customers to act as if their data may have been breached and monitor their bank accounts and credit reports.
“If the password they used when accessing Travelex’s services was used on other websites, it should be immediately changed," he said.
“In fact, any reused passwords should be immediately changed - it’s a bad and insecure practice.”
He added: “Companies that have had data stolen have no good options available to them.
“Refusal to pay will probably result in the data being published whereas payment will get them a pinky promise that the data will not be published or monetised.
“As that pinky promise is made by criminals, it carries near-zero weight.”
Travelex has so far declined to say whether or not it has paid money to the Sodinokibi group, which is also known as REvil.
Travelex, which supplies foreign exchange services to the majority of Britain’s major high street banks, issued a statement on Sunday following complaints from customers about a lack of communication regarding the hack.
Chief executive Tony D’Souza said Travelex had made “good progress” on recovering the use of its technology.
He added: “We are now at the point where we are able to start restoring functionality in our partner and customer services, and will be giving our partners additional detail on what that will look like during the course of this week.”
The company said it would begin to restore customer-facing systems but some users reported on Monday that they still could not log into the app or see account balances.
While it has not found evidence of data theft, Travelex did warn customers to be wary of scammers.
The company said in a statement: "Based on the public attention this incident has received, individuals may try to take advantage of it and attempt some common e-mail or telephone schemes.
"Increased awareness and vigilance are key to detecting and preventing this type of activity. As a precaution, if you receive a call from someone purporting to be from Travelex that you are not expecting or you are unsure about the identity of a caller, you should end the call and call back on the local customer service number available on Travelex’s website."