Travelex won’t say if it has paid a ransom to its attackers

Graham Cluley
Graham Cluley
@[email protected]

Travelex won't say if it has paid a ransom to its attackers

Travelex, the foreign currency exchange service whose services have been knocked offline since New Year’s eve by a cyber attack, is declining to say if it has paid a ransom to the criminals responsible.

Earlier today the organisation published a customer update about its ongoing attempts to resume normal operations, which saw for the company’s CEO Tony D’Souza break cover for a video statement, and run through a series of customer FAQs.

Travelex ceo

In the update Travelex underlines the message it gave in a press release earlier in the week that it was making “good progress” although it has been widely criticised for its response to the attack. It also continues to warn customers to be on their guard for scammers contacting them via the phone or email.

Notably D’Souza attempts to reassure public concerns that their data may have been put at risk, but stating that Travelex has “not uncovered any evidence to suggest that any customer data has left the organisation”.

Of course, an absence of evidence is not evidence of absence. Data is different from the Mona Lisa. If someone steals the Mona Lisa, you notice the gap in the wall of The Louvre. It’s not as simple as that with data.

Sign up to our free newsletter.
Security news, advice, and tips.

Travelex is declining to comment on how the REvil ransomware (also known as Sodinokibi) managed to infect its systems. I’ve also not seen them comment on media reports that the hackers responsible for the attack have demanded a $6 million ransom be paid for the safe return of what they claim is 5GB worth of sensitive data.

But the question I hoped Travelex’s CEO would answer was this: has Travelex paid any ransom demands?

ZDNet journalist Danny Palmer *did* ask that question, and I think Travelex’s answer (or rather lack of answer) might be telling:

Other organisations hit by ransomware haven’t been afraid to say that they will not pay the ransom. I wonder why Travelex doesn’t feel comfortable making a similar assertion?

If you have a secure backup, and if you have the systems in place to restore that backup in a safe, prompt fashion, then you shouldn’t need to ever consider paying the criminals behind a ransomware attack.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.