A Travelex employee says the company has been left “shell-shocked” by the ongoing ransomware cyber-attack.
He said his firm’s communication with employees and customers seems to be “a masterclass in what not to do”.
The employee, who wants to remain anonymous, said there is fierce criticism internally at the way management has handled the affair.
Hackers controlling the company’s computer systems are demanding a multi-million-pound payment.
The hackers claim to be holding large amounts of customer data. Travelex said there is no evidence that any customer data has been compromised.
The employee said in an email to the BBC: “I couldn’t help but laugh at the suggestion that the public response has been “shockingly bad”. This is nothing compared to how it’s been handled internally. It feels like there is a distinct lack of real leadership and communication.”
The company says it is working with industry-leading cyber recovery specialists to fix the problem, and insists it is doing all it can to keep its customers and employees informed.
Computer systems in the company’s offices and currency shops across Europe, Asia and the US have been switched off since the attack took place around New Year’s Eve.
Cashiers have resorted to pen and paper while the company coordinates its cyber response from an office in the UK.
The anonymous worker said: “I’ve not been able to use my work computer for a week. The docs on my PC have all been encrypted by the hack, but the docs I stored on the cloud server have not, which would seem to suggest the hackers haven’t got too far into our system.”
‘Frustrated and upset’
The employee claims that the company was alerted to the cyber attack at about 21:00 GMT on the 30 January, not 31 January as has been widely reported. He alleges internal communication has been “scant”, but that since then IT teams have been working flat-out buying and setting up new PCs and replacing certain software.
Another employee, who also wishes to stay anonymous, said it is a similar picture in his department. In an email he said: “I work for Travelex and… low down in the ranks we have no clue what is happening. We are as frustrated and upset as the customers are.”
A spokeswoman for the firm said: “Travelex is gradually restoring a number of internal systems and is working to resume normal operations as quickly as possible. We have been keeping our employees informed of all developments in real time and will continue to keep them updated as our recovery process continues.”
Meanwhile customers of Travelex, and it’s many partner companies, have told the BBC they have been left out of pocket as currency ordered online has not been delivered.
One customer, Natalie Whiting, from Stevenage, ordered £1,000 worth of euros online through Tesco. “I haven’t been able to get a refund of my money, it just seems to be in limbo,” she told the BBC.
Travelex now says it has processes in place in shops around the world to prevent this sort of situation for customers. In a statement the company said: “We have in place manual workarounds for all our retail services, including collection of pre-ordered currency from our bureaux.
“Travelex systems are currently down and we are unable to sell or reload travel cards. However, existing cards continue to function as normal and customers can continue to spend and withdraw money from ATMs.
“Customers who acquired their card in the UK can view their balance and transaction information at uk.travelexmoneycard.com, and reload cards by calling Mastercard’s call centre, the number which is on the back of the card.”
Customers who have ordered money online are asked to contact Travelex customer services by phone or via social media to discuss their individual situation and requirements, the company added.
Travelex said there is no evidence that customer data has been compromised, but the hackers, known as Sodinokibi or REvil, have told the BBC they have downloaded 5GBs of valuable customer data and will sell it online in six days time unless Travelex pays them an ever-rising ransom. The ransom demand currently stands at $6m (£4.6m).
Travelex said it is working closely with the Metropolitan Police, which is leading the investigation into the attack.
The currency firm is not the only company to fall victim to ransomware. In the last year the trend has been that well-organised and well-funded criminal hacking groups have targeted high-value companies and public bodies. Earlier this week a US maritime base was forced offline for more than 30 hours.
Stuart McKenzie, senior vice president at US cyber security firm Mandiant Services, described what it could be like for incident-responders at Travelex. “The security team will be assessing the malware and attempting to contain the spread of the attack.
“Remediation should be being planned to identify how to prevent further infection whilst protecting backup systems. In these cases, the security team will be faced with multiple challenges, including from the business itself in attempting to understand what is happening.”
Initiatives like the No More Ransom campaign publicly encourage victims not to give in to hackers’ demands with partner Europol regularly stating that paying fuels the criminal industry.
However, not paying can be extremely costly. Steel producer Norsk Hydro was hit by the LockerGoga ransomware last March. Some 170 factories and offices were taken offline, with manufacturing partially suspended. The hackers demanded an estimated £300,000 but the company instead refused to negotiate and has spent about £50m recovering operations.