By Anna Isaac and Caitlin Ostroff 

A New Year's Eve ransomware attack on foreign-currency exchange company Travelex has disrupted cash deliveries from its global network of vaults to major international banks.

Banks in the U.K., including units owned by Barclays PLC, Lloyds Banking Group PLC, as well as Westpac Banking Corp. in Australia said Thursday they were unable to take orders from customers in branches that rely on Travelex to supply cash in foreign currencies. The banks' online retail foreign-currency exchange services, which are outsourced to Travelex, were also shut off.

Travelex's internal networks and consumer-facing websites and app have been offline since the attack, after the company shut down its computer systems to stop a ransomware virus that infiltrated its networks.

A Travelex spokeswoman confirmed that the outage has limited the service its wholesale operations provided to other institutions.

Representatives for Barclays, Lloyds and Westpac all confirmed the disruptions were because of the Travelex outage.

Travelex, a unit of U.K.-listed payments conglomerate Finablr PLC, is best known for its global network of retail foreign-exchange kiosks that target customers passing through international airports. Those operations have been hobbled by the attacks, with agents resorting to manual operations, writing handwritten receipts. Travelex has told customers of its prepaid currency debit cards, popular with overseas travelers, to access account information by phone or through alternate websites.

A lesser known, but important, part of Travelex's operations is its business helping other financial institutions manage their supply of foreign bank notes.

Underpinning this business is a network of high-security vaults in 14 countries including the U.S., with a vault in Louisville, Ky., the U.K., Australia, Japan and China. It uses these vaults to supply cash notes to wholesale clients including banks, central banks, travel agencies, hotels and casinos, according to a company bond prospectus from 2017 and a separate business brochure that appeared to be posted on a company website in September 2019.

Travelex's central bank clients have included the Central Bank of Nigeria, where it was responsible for the distribution of U.S. dollars in Lagos, according to the bond prospectus. A spokesman for the Central Bank of Nigeria declined to comment.

The business brochure describes Travelex's work with Malaysia's central bank, where it has provided foreign currencies and consulted with it to stop traffickers illegally transporting bank notes into the country. Bank Negara Malaysia representatives didn't immediately respond to requests to comment.

In a statement this week, Travelex said that the software virus is a ransomware known as Sodinokibi, also commonly referred to as REvil. It said the attack froze access to its data by locking it up in encrypted form.

Ransomware is a technique used to extort money by infecting systems and then shutting off access to data and processing capabilities. Money is demanded by the attackers in exchange for regaining access or to prevent data breaches. A string of such attacks have hampered operations at companies and governments in the past year.

Successful ransomware attacks, in which victims pay money to release their data, appears to have encouraged more attacks and demands for bigger ransoms. In June 2019, the city of Riviera Beach in South Florida paid nearly $600,000 to hackers who paralyzed the city's computer systems.

Lawrence Abrams, a New York-based security researcher, said he had contact with the group behind Sodinokibi on Tuesday, which claims to have hacked Travelex.

The group implied to Mr. Abrams that it is in negotiations with Travelex for it to pay a $3 million ransom and that the company had until early next week before they released the data publicly. The group told Mr. Abrams they have stolen 5 gigabytes of data, including dates of birth, social security numbers and credit card numbers, and that it deleted all data backup.

A Travelex statement issued Tuesday said that there was "no evidence to date that any data has been exfiltrated" or taken off the network. "There is no evidence that structured personal customer data has been encrypted," the company said. Structured data usually refers to information that can be easily analyzed, such as data in a spreadsheet or database.

Mr. Abrams said the hacking group might be bluffing to pressure the company into paying the ransom.

"Ransomware is very public. They want to leverage this fear factor," he said. He noted that the group he communicated with also declined to provide Mr. Abrams with a screenshot proving their possession of customer data.

The Travelex spokeswoman declined to comment about whether it is interacting with the attackers or what ransom demand has been made.

"There is an ongoing investigation. We have taken advice from a number of experts," she said. London's Metropolitan Police are spearheading a criminal investigation. The company has also hired cybersecurity experts to conduct forensic analysis of the attack.

Write to Anna Isaac at anna.isaac@wsj.com and Caitlin Ostroff at caitlin.ostroff@wsj.com

 

(END) Dow Jones Newswires

January 09, 2020 13:22 ET (18:22 GMT)

Copyright (c) 2020 Dow Jones & Company, Inc.
Westpac Banking (ASX:WBC)
Historical Stock Chart
From Nov 2020 to Dec 2020 Click Here for more Westpac Banking Charts.
Westpac Banking (ASX:WBC)
Historical Stock Chart
From Dec 2019 to Dec 2020 Click Here for more Westpac Banking Charts.