Travelex customer: My money is in limbo

By Joe Tidy
Cyber-security reporter

Image source, Natalie Whiting
Image caption,
Natalie Whiting from Stevenage hasn't received her euros

Customers of Travelex say they feel let down after being left with no travel money from the company which is in the midst of a cyber-attack.

One customer, Natalie Whiting from Stevenage, ordered £1,000 worth of euros online through Tesco.

"I haven't been able to get a refund of my money, it just seems to be in limbo," she told the BBC.

On Tuesday, the foreign currency trader confirmed that it is the victim of a ransomware attack.

The criminals behind the hack told the BBC they are demanding $6m (£4.6m) or company computer systems will be deleted and customer data sold online.

Travelex says that there is no evidence customer data has been compromised.

In response to the cyber-attack, which was first discovered on New Year's Eve, Travelex took all computer systems offline, affecting thousands of sites in dozens of countries.

Cashiers have been resorting to using pen and paper to keep money moving at cash desks in airports and on high streets but orders online have been affected.

Image source, Getty Images

Business partners which rely on Travelex for currency services, like Sainsbury's, Tesco and Virgin Money have also been affected.

"I ordered over £1,000 of euros from Tesco bank online for collection in my local Tesco store on 31 December, ready to be collected on 3 January," Ms Whiting told the BBC

"The money was taken from my account and an order confirmation was sent to me, but I went to Tesco to collect my euros last Friday to be told of the Travelex issue.

"I am now £1,000 out of pocket after saving up for so long and there's no information or help."

Computers offline

Travelex confirmed to the BBC that no direct communication had been sent to customers about the attack, partly because all the computer systems are offline.

Visitors to the Travelex UK website are told that the site is down for "planned maintenance" and partner sites, including Sainsbury's travel money, have similar messages.

Image source, Stephen Wright
Image caption,
Stephen Wright had to buy currency elsewhere

Stephen Wright, from Banff in north-east Scotland, is also furious with the way the company is handling the incident.

He said: "I ordered euros on 23 December from Tesco bank. Delivery was due on 3 January but obviously, due to the problem with Travelex, nothing has yet arrived.

"There has been no communication from Tesco bank, so I called them. They simply say there is nothing they can do, that I must just wait until the problem is rectified, whenever that will be.

"I have been forced to purchase more euros elsewhere, leaving me considerably out of pocket."

No ICO report

A ransomware gang called Sodinokibi carried out the attack.

The gang, also known as REvil, claims it first gained access to the company's computer network six months ago and has since downloaded 5 gigabytes of sensitive customer data.

Dates of birth, credit card information and national insurance numbers are all in their possession, they claim.

However, a Travelex spokeswoman said on Tuesday night in a statement: "Whilst the investigation is still ongoing, Travelex has confirmed that the software virus is ransomware known as Sodinokibi, also commonly referred to as REvil."

"Travelex has proactively taken steps to contain the spread of the ransomware, which has been successful. To date, the company can confirm that whilst there has been some data encryption, there is no evidence that structured personal customer data has been encrypted.

"Whist Travelex does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated."

The Information Commissioner's Office (ICO) said it had not received a data breach report from Travelex.

A spokeswoman added: "Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people's rights and freedoms.

"If an organisation decides that a breach doesn't need to be reported, they should keep their own record of it and be able to explain why it wasn't reported if necessary."

Under General Data Protection Regulation, a company which fails to comply can face a maximum fine of 4% of its global turnover.

The Metropolitan Police says its Cyber Crime team is leading the investigation into the attack.

Travelex has not said whether or not they are negotiating with the hackers and have not given any timeframe for when normal service will resume.

Have you been affected by the cyber-attack on Travelex? Share your experiences by emailing

Please include a contact number if you are willing to speak to a BBC journalist. You can also contact us in the following ways: