Travelex customers express anger after cyber attack leaves them without access to their money

Cash in limbo as attackers hold foreign exchange company to ransom and threaten to sell personal data

Ben Chapman
Wednesday 08 January 2020 19:20 GMT
Comments
Travelex has been criticised for its response to the New Years Eve attack
Travelex has been criticised for its response to the New Years Eve attack

Travelex customers have have expressed anger at being “fobbed off” and disregarded by the foreign exchange company after a cyber hack left them without access to their money.

Sharon Stallard from Shropshire ordered foreign currency on New Years’ Eve for her husband Nigel. The couple found out two days later that they could not collect their money because criminals had locked Travelex out of its own computer systems.

“I was peeved. They told us on the phone on the 2 January that they didn’t know when we could get the money,” said Ms Stallard.

“They were very matter-of-fact, very dismissive. They didn’t want to take my name or phone number to call me back. They fobbed me off basically.”

“Since then we’ve had five days of nothing. It’s just really bad customer service.”

Other customers have complained online they are stranded in foreign countries without money that they put on Travelex ATM cards. They are all being told to simply wait until the company fixes its computer system, with no indication of when that might be.

High street banks that use Travelex's system have also been left with no online travel money services, with Royal Bank of Scotland, HSBC, Barclays and Lloyds all affected.

Travelex revealed last week that it had been the victim of a cyber attack, which was discovered on 31 December. Hackers broke into the company’s computer systems - perhaps as long as six months ago - and encrypted sensitive customer data. The gang is threatening to delete data from Travelex’s systems and sell it online unless the company hands over a ransom of $6m (£4.6m).

Staff have resorted to writing out invoices using pen and paper to fulfil customer orders since 1 January. Shares in Travelex’s parent company plunged 17 per cent on Wednesday as the crisis continued with little sign of an imminent resolution.

Sharon and Nigel  Stallard discovered on 2 January they could not get the foreign currency they ordered online

The company’s response to the issue has provoked anger among customers. Travelex did not initially acknowledge the hack publicly and a notice posted online stated that its website was down for “routine maintenance”.

Ms Stallard said she was also concerned that hackers have access to her personal information. “They've got my phone number, my address, my bank details. But the main thing is the principle. The company's not communicated with us at all.

“These problems happen, and fortunately it's not a huge amount of money, but not everyone is in that position.”

The company said on Tuesday that it had contained the spread of the attack, which used ransomware known as Sodinokibi.

There is no evidence that “structured personal customer data has been encrypted”, Travelex said in a statement

The firm's response has been "highly frustrating", said another customer, Natalie Whiting from Stevenage. Ms Whiting ordered £1,000 worth of euros through Tesco Bank for her upcoming holiday. Tesco uses Travelex for its foreign exchange service, as do Virgin Money, First Direct and Sainsbury’s Bank.

“There’s been no information since New Year’s Eve... none whatsoever,” said Ms Whiting.

“I’ve just been repeatedly told to go in store and order more euros that way, except I can’t because they’ve got my money.

"It’s almost a month’s wages for me.

“The worst part is I’m not even being given a guarantee that I will get my money back. There’s no help, no customer service.”

Tesco told Ms Whiting that it could not even set up a complaint on her behalf because it relies on Travelex's computer systems, which cannot currently be accessed. Tesco advised her to complain in writing instead.

Travelex chief executive, Tony D’Souza, sought to allay customers' fears on Wednesday.

“Travelex continues to offer services to its customers on a manual basis and is continuing to provide alternative customer solutions in the interim,” he said.

“We take very seriously our responsibility to protect the privacy and security of our partner and customers’ data,” D’Souza said. “Our focus is on communicating directly with our partners and customers to protect them and their information from any further compromise.”

Companies have a duty to report instances where customers’ data has been compromised and may have been provided to third parties. The Information Commissioners’ Office, which handles cases of data breaches and can issue fines to companies that break the rules, said it had not received a report from Travelex.

The company said there was no evidence that its customers’ personal data had been “exfiltrated”. But data-breach experts criticised Travelex for failing to adequately protect its computer systems.

Travelex and other companies were warned eight months ago of their potential vulnerability to the Sodinokibi ransomware.

“This is not the first cybersecurity incident to hit Travelex,” said Aman Johal, director of Your Lawyers, a consumer law firm specialising in data breaches.

“It is disturbing to see yet another attack, and reports that Travelex waited eight months to fix critical flaws in its security systems and VPN function is concerning.

“Organisations should be taking all reasonable steps to prevent a cyber-security breach, and it is clear that lessons are not being learned and history is repeating itself.”

Explained: British Airways facing record £183m fine for data breach

He added: “Businesses are duty-bound to protect their customers’ data and have a responsibility to communicate the impact of a data breach. The potential repercussions of a data breach can never be overstated.”

If regulators find that customer data has been compromised, the incident could prove costly for Travelex. The ICO can fine companies up to 4 per cent of their global turnover for breaking the rules.

Last year, British Airways was fined £183m by the ICO and hit with an estimated compensation bill of £3bn after hackers stole half a million customers’ details.

A spokesperson for the ICO said: "Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people's rights and freedoms.

"If an organisation decides that a breach doesn't need to be reported, they should keep their own record of it and be able to explain why it wasn't reported if necessary."

A joint investigation between the National Crime Agency and the Metropolitan Police is ongoing.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in