An employee manually counts 20 sterling pound notes in this arranged photograph at a Travelex store in London, United Kingdom, on March 6, 2013.
Simon Dawson | Bloomberg | Getty Images
U.K.-based currency exchange company Travelex experienced a ransomware attack that crippled the company’s online presence and locations across the U.S., European Union and Asia. It was unclear how much ransom cybercriminals were demanding. Travelex did not immediately respond to request for comment.
Ransomware is malicious software that shuts down computers, including those that may run retail equipment, until a victim pays a ransom to cybercriminals for a key to unlock the encrypted machines.
On its main website Tuesday, Travelex said the incident started Dec. 31, and the company took “all our systems offline” to prevent a spread of the virus.
“We have deployed teams of IT specialists and external cybersecurity experts who have been working continuously since New Year’s Eve to isolate the virus and restore affected systems,” the website says.
Britain’s Metropolitan Police Force said it has been looking into a “ransomware attack involving a foreign currency exchange” since Jan. 2, and it has been assisting with an ongoing investigation.
A cyber task force insider confirmed to CNBC that the foreign currency exchange was Travelex.
Travelex’s bank and wire service partners, including Virgin Money and Sainsbury Bank, reported they also were suffering outages as a result of the attack, according to the BBC.
Travelex had previously told customers that it was conducting “maintenance.” Customers visiting most pages on the company’s website in the U.S. on Jan. 7 still saw a message reading: “This website is temporarily unavailable while we make upgrades to improve our service to you. We are sorry for any inconvenience and htank you for your patience. Thank you for using Travelex!”
The BBC also reported that Travelex locations were offline, and workers in some locations were handling customer currency exchange transactions with pen and paper.
U.K. corporations must abide by a 72-hour customer notification period for many types of cybersecurity incidents under the EU’s General Data Protection Regulation (GDPR). Travelex said its “investigation to date shows no indication that any personal or customer data has been compromised,” according to a statement.