Citing a source familiar with the details of the transaction, the Wall Street Journal reported on Thursday that the London-based company paid hackers 285 bitcoin for a ransom worth roughly $2.3 million (£1.8 million) after the attack on New Year’s Eve. Reached for comment by email, a company spokesperson told Gizmodo there was “an ongoing investigation and we have taken advice from a number of experts and will not be discussing this at this time”.
Just days into the new year, Travelex confirmed that it was experiencing service disturbances as a result of what the company described at the time as a “software virus”. The company later identified it as a malware referred to as Sodinokibi. The company initially said that while it didn’t have any indication that customer data had been compromised, it had taken its systems offline. It was able to restore some consumer-facing services shortly after, but international money transfer services were affected for most of January.
“We regret having to suspend some of our services in order to contain the virus and protect data,” Travelex chief Tony D’Souza said in a statement at the time. “We apologise to all our customers for any inconvenience caused as a result. We are doing all we can to restore our full services as soon as possible.”
According to Reuters at the time, the issue so pummelled the company’s operations that Travelex employees were forced to calculate exchange rates with pen and paper. The BBC, reporting in January that it had communicated with the hackers behind the attack, priced the ransom at $6 million (£4.8 million). And while Travelex said no data had been hijacked in the attack, the hackers reportedly told the BBC they’d stolen 5 GBs of “valuable” consumer data. A spokesperson did not return a request for comment about whether customer data had been stolen.
Cybersecurity experts and government agencies advise against paying ransoms, both because there’s no way of ensuring stolen data will be fully recovered as well as because it can perpetuate further targeting of organisations – and put a target on the back of an institution that does so.