Hackers are holding the foreign exchange company to ransom after a cyber attack forced the company to shut down its computer systems.
Travelex first discovered the cyber attack on New Year’s Eve and subsequently took its systems offline to protect data and prevent the malware from spreading.
However, it has now been discovered that the cyber attack was in fact a ransomware attack, to which the ransomware gang, Sodinokibi, told the BBC that it was responsible.
The threat group, also known as REvil, have claimed that they gained access to Travelex’s computer network six months ago and have downloaded 5GB of sensitive customer data. REvil are demanding Travelex pay $6m (£4.6m) otherwise the data will be sold online.
The data the threat group claim to have in their possession include, dates of birth, credit card information and national insurance numbers.
The hackers said: “In the case of payment, we will delete and will not use that [data]base and restore them the entire network.
“The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base.”
The Information Commissioner’s Office (ICO) has said that it has not yet received a data breach report from Travelex. Regulations require organisations to notify the ICO within 72 hours of becoming aware of a data breach unless it doesn’t pose a risk to people’s rights and freedoms. If an organisation chooses not to report the breach, a record should be kept of it.
A Travelex spokeswoman said on Tuesday night in a statement: “Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful. To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted.
“Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated.”
The Metropolitan Police’s Cyber Crime Team is leading the investigation into the attack.
Fabian Wosar, ransomware expert at Emsisoft, told the BBC: “Stealing data essentially gives threat actors additional bargaining chips when it comes to dealing with companies unwilling to pay the ransom. The idea is to weaponise the hefty fines associated with GDPR violations to pressure the company into paying.”