The numbers that usually glow with exchange rates on Travelex boards in airports worldwide have gone dark, after the London-based currency exchange company was forced to go offline after it discovered a ransomware attack on Dec. 31.
The disruption has also affected banks like Barclays, Royal Bank of Scotland and HSBC, which have been unable to fulfill foreign currency orders for their customers.
Travelex said it had contained the threat and had no evidence that customer data had been removed. It has been offering only over-the-counter services since New Year’s Eve, when it discovered that it had been compromised by ransomware known as Sodinokibi, or REvil.
The hackers told the BBC on Wednesday that they had downloaded five gigabytes of sensitive customer data since gaining access to Travelex six months ago and intended to sell it if there was no response by Jan. 14. They have demanded $6 million for the data’s return, according to the BBC.
Travelex, which has more than 1,200 stores, kiosks and counters in at least 70 countries, said in an online statement that it did not have a “complete picture” of what had happened to its data.
The company declined to provide details on how many customers had been affected, what data was at risk or when it expected the problem to be resolved. It said the investigation continues and declined to comment on the hackers.
“We take very seriously our responsibility to protect the privacy and security of our partner and customers’ data, as well as provide an excellent service to our customers, and we sincerely apologize for the inconvenience,” Tony D’Souza, the Travelex chief executive, said in the statement.
Travelex is still changing money, but must do the calculations by hand, based on rates issued each morning from its headquarters. At a central London branch of Travelex on Thursday, its ATMs permitted withdrawals only in pounds and the screens that usually show the exchange rates offered for each currency were blank.
Banks including Barclays, Royal Bank of Scotland and HSBC that use Travelex to offer currency exchange services are waiting for the issue to be fixed, as well.
“Unfortunately we are unable to process foreign-currency orders due to an issue with our service provider, Travelex,” Barclays said in an emailed statement. “We are sorry for the inconvenience and will be restoring the service as soon as we are able to do so.”
The Royal Bank of Scotland said that customers who had placed money orders in branches would be refunded if the order had not been fulfilled.
The episode raised questions about how many more parts of the financial system could be at risk, said Bob Sullivan, a cybersecurity expert.
“We would not normally think of a company like Travelex as infrastructure, but clearly it is,” Mr. Sullivan said. “A big payment company that has tentacles into hundreds of institutions: It’s a reminder of how fragile these systems are.”
London’s Metropolitan Police and the National Crime Agency are conducting criminal investigations. The National Cyber Security Center, part of a government intelligence agency, also said it was working to understand the hack’s impact.
The company has not reported a data breach, according to the Information Commissioner’s Office, a British government agency that enforces data-protection laws.
Travelex could also come under scrutiny from data protection authorities. Under European data privacy law, companies can be fined for being hacked if regulators determine that they did not do enough to protect the information. Firms found to have made the most serious infringements of European law can be fined as much as 20 million euros, or about $22 million, or 4 percent of the previous year’s worldwide annual revenue, whichever is higher. British Airways was fined nearly $230 million last year for privacy lapses.
“This is new because it combines a ransomware attack with the threat of G.D.P.R. fines,” said Mr. Sullivan, referring to the European Union’s general data protection regulation. “This is why these folks think they can get a big payday.”
Travelex had revenue of £729.5 million, or about $952 million, in 2018, according to its annual report.
The Financial Conduct Authority, a regulator, said it was also in contact with Travelex and expected it to “treat affected customers fairly.” The regulator said customers with concerns about currency orders should contact Travelex or the bank where they had placed the order.
Travelex said the software virus was detected on Dec. 31, but it was not reported to the Metropolitan Police until Jan. 2. “Among others, we reported to the N.C.S.C., and then the N.C.A. who in turn passed it to the Metropolitan Police to investigate,” a company press official said.
The shutdown’s duration has prompted complaints from customers unable to get access to their travel money and frustrated by the lack of information from the company. Customer service telephone numbers were shared on social media and the Travelex website.
The firm also attracted criticism from security experts, who said that Travelex had been warned about weaknesses in its system before but had not responded. One security company, Bad Packets, told Computer Weekly that it told Travelex about a vulnerability last April but the firm took six months to fix it and its systems could have been compromised within that time. Travelex declined to comment.
“It’s clear they’re not ready for this,” said Mr. Sullivan, the expert. “Clearly they didn’t have a recovery plan.”
It could take weeks for Travelex to determine how the hackers had embedded themselves into its system, said David Grout, a regional chief technology officer for FireEye, a security firm. It might not be as simple as just booting somebody out of a system.
“Companies like them will need to rebuild some part of the architecture to understand the nature of the attack,” Mr. Grout added.
Travelex said it did not anticipate any “material financial impact” for its owner, Finablr Group, based in Abu Dhabi. But Finablr shares fell more than 15 percent on the London Stock Exchange after Travelex confirmed the attack.