back to article The Six Million Dollar Scam: London cops probe Travelex cyber-ransacking amid reports of £m ransomware demand, wide-open VPN server holes

More than a week after its website and online services were taken offline by malware, foreign currency super-exchange Travelex continues to battle through what has become an increasingly damaging outage that may have unpatched VPN servers at its heart. London's Metropolitan Police confirmed to El Reg on Tuesday its officers …

  1. David 132 Silver badge
    Trollface

    Don't forget this is Travelex

    And its criminal masterminds have demanded $6m (£4.6m) from Travelex

    "As you're Travelex, we'll use your own exchange rates. So that $6m USD will cost you £6.02m GBP or €8m EUR please..."

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't forget this is Travelex

      yes, hard not to feel schadenfreunde, couldn't have happened to nicer people, etc, etc. But I do have some sympathy with their customers (even though they're serious suckers to deal with travelex in the first place). I'm sure they'd be refunded by their banks for whatever they paid for the currency they'll never get, but I'm sure the banks will drag their feet as long as they can (30 days to process claims?)

      p.s. it will be interested to see if the hackers stick to their promise to destroy that personal data they allegedly grabbed. On one hand, once they get their ransom, what's stopping them from making extra profit by flogging this data, record by record, or in bulk? (this might actually be the death strike for travelex). On the other hand, if the hackers want to continue their profitable line of business, as any business venture would do, failing to keep their "promise" would work against them in the future, sending a message to future victims: you pay the ransom AND lose data, which then makes you a sitting duck against authorities and regulations (fines ahoy) and individual legal claims. So, future victims might decide to stick to damage limitation, i.e. original losses, rather than pay ransom for nothing - if travelex customer data is released.

      1. GcdJ

        Re: Don't forget this is Travelex

        Quote > "once they get their ransom, what's stopping them from making extra profit by flogging this data, record by record, or in bulk?"

        if the ransom is paid and then the data is put out on the internet (sold or free) then there will be no incentive for the next organisation they attack to pay the ransom. These blackmailers must solicit trust to make money in the future.

        Geoff

  2. Anonymous Coward
    Anonymous Coward

    ICO hints that GDPR appears to be optional

    Meanwhile, the BBC is reporting that the ICO says the choice of reporting of such breaches is down to the decision of the company affected.

    Travelex customers 'thousands of pounds out of pocket'

    The Information Commissioner's Office (ICO) said it had not received a data breach report from Travelex.

    A spokeswoman added: "Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people's rights and freedoms.

    "If an organisation decides that a breach doesn't need to be reported, they should keep their own record of it and be able to explain why it wasn't reported if necessary."

    Under General Data Protection Regulation, a company which fails to comply can face a maximum fine of 4% of its global turnover.

    1. Mystic Megabyte Silver badge
      WTF?

      Re: ICO hints that GDPR appears to be optional

      There's something odd going on here. Earlier this morning I read that linked article, now it is no longer on the front page of the BBC. Typing "travelex" into the search bar takes you to a podcast where you need to sign in. I'm not doing that!

      1. Anonymous Coward
        Anonymous Coward

        Re: ICO hints that GDPR appears to be optional

        I don't get a front page story, but search gives me 6 stories from the last week.

        Does accessing the site in incognito mode change anything (i.e. without preference cookies)?

      2. Anonymous Coward
        Anonymous Coward

        Re: ICO hints that GDPR appears to be optional

        I think there's some algorithm they employ (well, no shit sherlock), and in theory, all those articles move around their site like puzzle pieces, based on what is clicked, or viewed, or whatever (hence the occasional fun when you hear media picking up stories, quoting the beeb only to find out that the story's 5 year old but for some reason, people overlooked it, more and more clicked on it, thus the story's resurfaced to feature prominently, etc.

        Obviously, given that the travelex is probably THE story, alongside the Iranian-US "debacle", we can speculate that it's highly peculiar that it disappeared from the front. Perhaps an "algorithm" has been tweaked, by pure coincidence, by an unnamed intern to bury the bad news? It certainly appears that both travelex and the authorities are trying DESPERATELY hard to make it a non-news. Which is interesting.

        1. TeeCee Gold badge
          Facepalm

          Re: ICO hints that GDPR appears to be optional

          ...given that the travelex is probably THE story...

          Strawman argument. I rather suspect that, outside of specialist technical circles, the level of interest in this peaked at "yeah...…...whatever".

          NB: "trending on tw@ter" does not count, as a very small minority of self-selecting people is, by definition, not representative of the population as a whole.

      3. Doctor Syntax Silver badge

        Re: ICO hints that GDPR appears to be optional

        That's normal behaviour for using the Beeb's own search to search for their own stories. You were looking for something from yesterday? Here's something vaguely related from 5 years ago.

      4. HildyJ Silver badge
        Holmes

        Re: ICO hints that GDPR appears to be optional

        Accessing it from across the pond I have no problems. Articles show up in the BBC search and, while it doesn't make the Home page or the News page, it's the third item on the Business page.

    2. Pascal Monett Silver badge

      Re: ICO hints that GDPR appears to be optional

      At this point, it would seem that the CEO is probably praying that there will be a turnover to put a fine on.

      Good. That will educate him about the importance of making sure security is part of his conception of IT.

    3. Anonymous Coward
      Anonymous Coward

      Re: ICO hints that GDPR appears to be optional

      The decision whether to report or not has always sat with the company, which is why you see so many public sector organisations reporting themselves - particularly the NHS as it's (regardless of the bad press it constantly gets) run by ethically minded middle-managers who just want honest governance.

      They also know that reporting to the ICO can help them get funds from senior managers to plug gaps generating these problems, it's a lever.

      Travelex doesn't have to report, although the fact they haven't flipped back to backups shows that loss of data is absolutely guaranteed if they did so now the ICO is very interested and will query the decision not to.

    4. MJB7 Silver badge

      Re: ICO hints that GDPR appears to be optional

      Travelex are (currently) claiming no data has been exfiltrated. *If* that is true, there is no breach to be reported to the ICO.

      If it turns out that a bunch of IP addresses has been exfiltrated, it may be possible to argue that "people's right and freedoms are not at risk". If email address, password hash and salt have been exfiltrated ... not so much.

  3. julian_n

    It looks like firing Cyber Security professionals was not the smartest move by Travelex. Not sure the salary savings will cover the cost of fixing this.

    1. Giovani Tapini Silver badge

      Firing the cyber security people. possible

      However you may equally find they have been flagging issues for months and the beancounters didn't want to replace or remediate lots of kit that doesn't bring cost reductions...

      1. Anonymous Coward
        Anonymous Coward

        Re: Firing the cyber security people. possible

        Or senior management really "needed" access to Dropbox so they could see their stuff at home etc.

    2. AndrueC Silver badge
      Unhappy

      ..either that or price rises will have to ;)

  4. Pangasinan Philippines
    FAIL

    Future ON-CALL or WHO ME?

    Looking forward to read that one

  5. Chris Hills

    Head in the sand again

    They were told of the insecure Pulse VPN servers and ignored the warning. But I'm sure the execs will get off scot-free.

    1. sanmigueelbeer Silver badge
      Joke

      Re: Head in the sand again

      But I'm sure the execs will get off scot-free.

      Free, a big promotion and a raise (in the currency of their choosing).

      The Information Commissioner's Office (ICO) said it had not received a data breach report from Travelex.

      Maybe because Travelex's email isn't working?

    2. Anonymous Coward
      Anonymous Coward

      Re: Head in the sand again

      I doubt if the execs will get off "Scott free".

      They might not have a company to come back to in a couple of weeks! Depending on how they handle things now, they could lose many of their contracts with banks and supermarkets, which could start them on a downward spiral even if they survive January.

      I doubt those execs are sleeping comfortably at the moment, and the CEO / CTO will struggle to walk into a new role after this bad publicity.

      1. Anonymous Coward
        Anonymous Coward

        Re: the CEO / CTO will struggle to walk into a new role after this bad publicity

        are you suggesting that the career path of that ex-talktalk Fona Something, POST-talktalk-tits-up is exception to the rule? I don't know, it would be interesting to see some stats and graphs (seriously).

      2. theblackhand Silver badge
        Coat

        Re: Head in the sand again

        Well...the board of directors is Scott-free already.

        I'll get my coat...

    3. Anonymous Coward
      Anonymous Coward

      Re: Head in the sand again

      The execs must be some real old farts who were usually complacent, certain that their old school ways would talk their way out or use their lawyers to get out of any trouble they might find themselves in.

    4. Steve Evans

      Re: Head in the sand again

      It'll be interesting to see if, or how well, they survive.

      I'm sure they have insurance against IT issues, but I'm also pretty sure that those policies have clauses about keeping things patched and up to date.

  6. Anonymous Coward
    Anonymous Coward

    GDPR: Is the ICO is a Chocolate Fireguard ?

    From the Guardian:

    Travelex 'being held to ransom' by hackers said to be demanding $3m

    "They are reportedly threatening to release 5GB of customers’ personal data – including social security numbers, dates of birth and payment card information – into the public domain unless the company pays up."

    1. Anonymous Coward
      Anonymous Coward

      Re: into the public domain unless the company pays up

      I very much doubt they'd ever release it "to the public domain", unless they work to bring travelex down, there's no profit for them in such a release. At most, they would release a few records to verify their claim. Flog the data on black market, that's another matter. But this also comes with more and more risk these days, as authorities become more clued up. The most ideal situation would have been for the hackers to do it all quietly - inform the company, demand ransom, get the money, end of story. Clearly, travelex wouldn't play ball, so the hackers made the information public, to put some pressure on the company. However, the longer it drags on, the less chance ransom gets paid, and more chance that the UK (and probably US) full state resources will be directed to track them.

      1. AndrueC Silver badge
        Stop

        Re: into the public domain unless the company pays up

        Ransoms should never be paid. It only encourages the perpetrators to do it again. I know it can be tough when Aunty Maud has been grabbed but think about Uncle Bill - he could be next.

        If no-one ever gave into ransom demands there would be far fewer kidnappings. Every time demands are met it perpetuates the crime.

        1. Anonymous Coward
          Anonymous Coward

          Re: into the public domain unless the company pays up

          That's alright then. I haven't got an Aunty Maud

          1. phuzz Silver badge
            Windows

            Re: into the public domain unless the company pays up

            And they can keep Uncle Bill, he's a racist old prick.

            I won't accept less than twice the ransom to take him back!

            1. Claptrap314 Silver badge

              Re: into the public domain unless the company pays up

              You mean...he's being marked down?

        2. OssianScotland Silver badge
          Pint

          Re: into the public domain unless the company pays up

          Alternatively, if you (or Uncle Bill) read Kipling's Danegeld, you get the general idea

          "For once you have paid him the Danegeld, you'll never get rid of the Dane"

          Icon: to Rudyard, still one of the best authors in the English Language, and still a poet of our times.

        3. Anonymous Coward
          Anonymous Coward

          Re: Ransoms should never be paid

          sadly, reality is different. To the point that some security experts (yes, they know their techie stuff), albeit in another country, openly declare they recommend their clients pay up. And snort at those who point out something seriously wrong in such declarations, as in "yeah, well, grow up!" :(

          1. Claptrap314 Silver badge

            Re: Ransoms should never be paid

            If I ever encounter a self-styled security "expert" making that recommendation, I'm going to ask him what his percentage is.

            ********

    2. Prst. V.Jeltz Silver badge

      Re: GDPR: Is the ICO is a Chocolate Fireguard ?

      "They are reportedly threatening to release 5GB of customers’ personal data – including social security numbers, dates of birth and payment card information – into the public domain unless the company pays up."

      so is this a ransomware situation or not?

  7. Kevin Fairhurst

    "there is still no evidence to date that any data has been exfiltrated"

    ... because all the computers are switched off, and the data on them has been encrypted anyway.

    Of course, once the professionals get in to the systems and look at the logs we'll find that there *IS* evidence of data exfiltration, going back months, but by then the execs will all have "retired" on big fat bonuses...

  8. Mr Dogshit
    FAIL

    Patch your shit or get hacked, people.

    1. OtotheJ

      Patching +

      Don't believe that fully patched systems are going to protect you from attack.

      On a daily basis we are seeing phishing emails that lead to legitimate looking Google/365/LinkedIn web pages where people merrily give away their usernames and passwords.

      Focus on educating people as well as patching systems

      1. Prst. V.Jeltz Silver badge

        Re: Patching +

        true dat,

        There should never be a legit situation where following a link leads to giving away your password.

        The muggles should be told - never do that.

        And businesses should get there shit together and stop offering such links and just say

        "go to our website and login"

        They dont help themselves!"

        1. Doctor Syntax Silver badge

          Re: Patching +

          I can't imagine why you got two down-votes for that. Banks and building societies are, in my experience, the worst offenders for training their customers to be phished.

          1. John H Woods Silver badge

            Re:"Banks and building societies are, in my experience, the worst offenders ..."

            Yep,

            Certainly they spent a lot of the last decade phoning up and asking security questions. Don't know whether they still do and I'm just on an 'awkward list' of people who never reveal any information on any incoming* call.

            *it's still 'incoming' IMHO if you made the call because someone texted or emailed you the number.

            1. Doctor Syntax Silver badge

              Re: Banks and building societies are, in my experience, the worst offenders ..."

              I think phoning up costs too much money these days so they don't do it.

            2. Chris King Silver badge
              Holmes

              Re: Banks and building societies are, in my experience, the worst offenders ..."

              "Don't know whether they still do and I'm just on an 'awkward list' of people who never reveal any information on any incoming* call"

              They still do, and I still tell them I will ring back on one of the bank's normal telephone banking numbers. And WHY am I such a git about this ? I had one cheeky bastard try the "Hello Sir, I am from your bank" opening gambit on me.

              "What's my name ? Which bank ?"

              *click*

              Yes, it's a new decade, and people still fall for this crap.

              1. Anonymous Coward
                Anonymous Coward

                Re: Banks and building societies are, in my experience, the worst offenders ..."

                "What's my name ? Which bank ?"

                *click*

                If only that worked for "which accident was that, then?" because they then rabbit on as if convinced you really did have an accident.

                Then I ask them who they want to contact.

                When they say "Michael Rodent", I suggest they think carefully about that name. Rarely does the penny drop.

                (I filled in the webform about 4 years ago. They still call. Mr Rodent broke every bone in his body in that accident.)

                1. Chris King Silver badge

                  Re: Banks and building societies are, in my experience, the worst offenders ..."

                  "So you're saying I had a serious accident ? Wow, I've got absolutely NO memory of it whatsoever - the brain damage alone must be worth millions ! Where do I sign up ?"

                  *click* again.

  9. elwe

    It is 2020, what was the customer data and critical systems doing on Windows boxes, rather than Linux with a snapshotted file system underpinning the storage?

    At the places I have worked since 2006 this kind of ransomware would mess up finance, HR etc. But the real customer facing work would be unaffected. And those affected systems would be rebuild with a clean client OS and up and running relatively quickly. Once HR and the bean counters figured out how to recreate their shortcuts, so over a week sounds reasonable...

    1. Korev Silver badge

      A fully patched and configured Windows Server setup would be more secure than a neglected Linux system, think of some nice vulnerabilities like Heartbleed.

    2. Halfmad Silver badge

      Linux has it's own problem, underlying issues here are a culture of not funding and/or caring about information and cyber security.

      If they did at most they'd be back up and running already and saying "we lost X amount of data, sorry ICO".

      Instead they are still down, still clutching at straws and in PR damage limitation mode.

      1. Anonymous Coward
        Anonymous Coward

        "Instead they are still down, still clutching at straws and in PR damage limitation mode."

        It's worse than that - they are at "Instead they are still down, still clutching at straws and in PR damage limitation mode AND considering paying £3 million because they think they may get their data back because it looks like it might be gone for good"

    3. The Original Steve

      "It is 2020, what was the customer data and critical systems doing on Windows boxes, rather than Linux with a snapshotted file system underpinning the storage?"

      If you think you are safe from attacks, viruses and malware just because of a particular technology choice, then you're both sorely mistaken and I wouldn't be surprised if you've already been done over without knowing it.

      Security isn't actually a technical issue per se, it's cultural. As posted above, a properly configured Windows Server is more secure than a poorly configured <insert OS of choice> server.

      End user education, tiered security, least user access, well trained administrators and strong processes including the assumption you WILL be compromised (and thus have a strong, tested, offline backup) are SOME of the measures to help mitigate security issues.

      Changing an OS is like changing the brand of car you drive. How you drive and maintenance of the vehicle make far more difference to how likely you'll be involved in a collision.

      1. ovation1357

        This is all well and good and indeed I agree entirely that attitudes and good processes are essential.

        But Windows does have an atrocious track record in security and whilst there is now some ransomeware out there which attacks Linux, the majority by a very long shot targets only Windows which in itself makes it a poor choice of OS in my view. (I caveat this that if everyone switched to something else I'm sure the crims would then target the next most popular OS)

        No OS is perfect but M$ has historically been very late to the security hardening party. Plus at one end they're patching vulnerabilities like there's no tomorrow whilst at the other end they're putting out a constant stream of Swiss cheese applications and technologies, often using their world domination to push them to everyone, and creating vast new attack surfaces.

        Windows has no place in the server market IMO and M$ knows it, hence all their desperation to embed Linux into Windows and support server development.

        The ageing execs who still doggedly hold on the the mantra that nobody ever got fired for buying Microsoft and insist on it being the only corporate 'approved' OS are probably the only reason why some of the biggest names in software still produce a Windows version of their product. And the typical word on the street is that much of it doesn't run as well and/or lacks features and/or isn't very well supported when compared to the Linux version.

        Choose a mainstream Linux distro, Choose *.BSD, hell, choose Solaris if you have to. Choose well established and well trusted open source software where possible. Follow best practice guides, keep patched.

        But keep Windows limited to Noddy desktops for running Excel, games, CAD or whatever and don't try and run backend services on it - it won't end well :-(

        1. NiceCuppaTea

          The reason there is less malware for *nix is low adoption rates among the unwashed. Writing malware is a business, as a business you have to think of ROI.

          If i write a nasty piece of code for *nix i will have the opportunity to infect and gain money from x% of the world, if i write for windows i will have the opportunity for X%

          I'm pretty sure there are a massive ammount of *nix exclusive attack vectors that havnt been descovered or exploited simply because its not worth investing the time and effort involved in finding them.

          I have no particular allegance to any OS but its simple economics.

          1. Anonymous Coward
            Anonymous Coward

            The Unix philosophy was always KISS - Keep It Simple, Stupid. It started that way in Linux too.

            Windows can never, ever be described as having that philosophy.

            The tools (even today when systemd is the final nail in the coffin of that philosophy) to detect an APT remain far simpler for Linux than Windows.

            Plus, once you have the AD you have the entire corporate network. Every single bit of it. The Keys to The Kingdom.

          2. Claptrap314 Silver badge

            You're noticing R a lot, but not I. Yes, *nix systems have regular vulnerabilities. Those using by average users (running Chrome) even more. But it is still, on average, a lot more work to get a working exploit deployed to *nix boxen than the m$ shite. That also matters.

        2. Trixr

          Obviously spoken as someone who has no idea of how to secure a modern Windows OS on a server. No, it's not perfect, but no OS is.

          In terms of assumptions about Windows, the most harmful one is that "it's simple" and "anyone can manage it". Well, anyone actually can't in an enterprise, securely, but when bosses insist on paying for new graduates rather than people with actual experience and preferably proper security experts to come up with proper hardening practices, and NOT paying for the remediation that needs to happen to deal with the stupid insecure practices they've been perpetuating for many years that MSFT themselves have often been deprecating for literally decades... Not to mention fellow techs who whinge about not getting domain admin or other global and highly-privileged rights when they don't actually need them.

          Which, by the way, many *nix-based vendors have perpetuated - how many SAN or printer or xyz manufacturers have SMB1-only baked into their firmwares until recently (or still)? One large printer manufacturer I dealt with literally only began supporting SMB2+ in a firmware release 2 years ago. It's been deprecated for over a decade. Yes, businesses do in fact buy printers for "scan to network" features, and yes, they will chose devices that offer that vs those that don't.

          Not to mention the vendors who also perpetuate the problems by saying that the current version of their product will only be supported on SQL 2008, for example, because it hasn't been "validated" on a newer SQL version. In the instances they want a crappy old version of SQL, it's because the product itself has been written to use some horrible insecure "sa" logon or something similar. Try telling a hospital they can't use the software that runs their MRI. Or tell a public health service they have to spend multi-millions on an upgrade once the vendor finally gets around to updating their garbage, ahem, software. Which often entails a significant version jump and expense and risk since no-one's done such a thing since it's been installed, and it can't be handled by the usual support staff (at least not without a lot of testing and training, and perhaps training the users, if the version upgrade has also bundled in significant UI changes etc etc etc etc).

          Then you have vendors saying their software requires domain admin rights - thank you, Commvault - and many other similar idiocies, because they can get away with it, and there are not sufficient numbers of people with the expertise to question these blanket statements. I wish MSFT would slap down these "partner" software vendors and make them provide better information to their customers.

    4. MrBoring

      I read elsewhere that they may have been on their systems for 6 months until they struck. They had amply time to really plan and counter any recovery attempt.

    5. Doctor Syntax Silver badge

      "It is 2020, what was the customer data and critical systems doing on Windows boxes, rather than Linux with a snapshotted file system underpinning the storage?"

      In a lot of cases I'd agree with you. That would be the consequence of running a monoculture and getting phished.

      However it looks as if this was the consequence of a failure to protect their VPN against intrusion and the intruders have been able to take their time. By now they'd probably have acquired admin credentials on the Linux boxes. I doubt there's anything beyond a dumb printer in there that could be trusted by now.

    6. SAdams

      Windows can have file level snapshotting, storage level snapshotting and be backed up.

      Even ignoring the Pulse patching issue, and possibly some privileged accounts with dodgy passwords, this is not a Windows issue but a Windows management/governance issue.

  10. frustin

    Cant understand how the virus got on their unless the systems were not kept up to date? or the systems were so out of date they were no longer protected?

    The fact that they're back to pen and paper as well. That's just incredible. Business continuity must be none existent given they've been down since new year's day.

    I bet they're still trying to figure out which systems are affected and they cant turn on the machines, while connected to the network (for fear of infecting others). Which would mean they're having to do it manually, one machine at a time.

    1. Prst. V.Jeltz Silver badge

      Cant understand how the virus got on their unless the systems were not kept up to date?

      You cant?

      Being up-to-date is not a 100% solution for complete cyber security.

      Its just one of the most important steps.

      That vulnerability was there since version X was released , some time later the vendors realised that and issued patch Y

      All of the time datediff( x, y ) the system was up to date and yet still vulnerable to this attack.

  11. Anonymous Coward
    Anonymous Coward

    Is CEO going to be in next honour list

    Is CEO going to be in the next honours list?

    Somebody made "T4lk t4lk" a baroness who is now part of team that are going to "give away" all medical data to Goggle.

    Beggers belief.

    1. BamBam

      Re: Is CEO going to be in next honour list

      She was made a peer about a year before the TalkTalk data breach.

      1. Peter X

        Re: Is CEO going to be in next honour list

        True. But she got the NHS gig _after_ TalkTalk. So, somehow, out of all the people in the world the NHS could've employed, Dido Harding was the person they chose... and I imagine she went through a blind recruitment process so there's no chance nepotism had anything to do with it. <innocent-face>

        1. Roj Blake Silver badge

          Re: Is CEO going to be in next honour list

          Being the wife of a Tory minister and the daughter of a baron had nothing to do with the appointment, natch.

  12. Anonymous Coward
    Anonymous Coward

    The Lie

    Clearly someone not reading from the same page.

    From The Register

    "In a statement to the media, Travelex confirmed it had fallen to a Sodikinobi ransomware infection, though claimed no data had been siphoned off and stolen."

    From BBC news

    'Dates of birth, credit card information and national insurance numbers are all in their possession, they say.

    The hackers said: "In the case of payment, we will delete and will not use that [data]base and restore them the entire network.

    "The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base."'

    Never the less. Appointing CEO with no appreciation of security should be discouraged!

    1. Doctor Syntax Silver badge

      Re: The Lie

      Assuming this threat is based on reality what were they doing holding stuff like DoB & NI number? Being asked for that if I wanted to change money would be a red flag.

      1. Anonymous Coward
        Anonymous Coward

        Re: what were they doing holding stuff like DoB & NI number?

        whenever (that's two counts) I tried to buy cash at Thomas Cook (well, last minute rush), they "asked" for my name, ID and postcode. To which I promptly asked "what for, why?" to which I received a polite equivalent of an "I don't give a fuck, you want this money or not?" shrug, to which I responded in kind, and walked out (and yes, there are placed where you don't need all this, and it's still legal). But then, how many people, in the days of I WANT IT NOW, I MUST HAVE IT NOW, walk away? ANYONE? Truth is, their nosiness is, at least partly due to anti-money laundering regulations that are slapped, particularly on large-scale businesses. Not that those regulations are very efficient, given how well they can be circumvented by various, semi-legitimate offshore schemes...

        1. Dog Eatdog
          Big Brother

          Re: what were they doing holding stuff like DoB & NI number?

          I went to a local foreign exchange place in Chinatown here. The teller asked for ID, which I didn't have, so she used her own!

          Maybe if I was only exchanging $100 instead of $10,000 she wouldn't have been so understanding.

          1. keith_w Bronze badge

            Re: what were they doing holding stuff like DoB & NI number?

            in 2005 I went to the UK without a quid in my pocket as my bank branch was out of UK currency. After about 4 days of visiting and paying for everything with my credit card, I was in London about to visit the Tower and saw an ATM, walked up to it put my card in and withdrew a bunch of UK currency. Easiest FX I have ever done.

            1. Trixr

              Re: what were they doing holding stuff like DoB & NI number?

              Except you pay even more for the credit card currency conversion. You may not be visiting a country with ATMs that take your card. I do mightly resent having to present ID to buy cash though.

  13. Buzzword

    Outsourced and out of sight?

    From April 2017: https://www.peterboroughtoday.co.uk/business/leading-peterborough-employer-to-move-city-jobs-to-india-1-7896706

    "Foreign exchange company Travelex, based in Worldwide House, in Thorpe Wood, has been consulting with staff for months over its plans to move some jobs to Asia. It is understood that about 75 finance jobs will be lost to Peterborough. Travelex employs up to 400 people in Peterborough. The remaining staff cover a variety of functions including human resources, IT and customer service. It is understood that the company is seeking to make the redundancies to improve efficiency and to cut costs."

    Sounds like only finance roles were relocated, not IT. Would be interested to hear more from any present or former insiders.

    1. prinz

      Re: Outsourced and out of sight?

      Well, perhaps IT was already outsourced long ago...

      From 2003 :

      https://www.computerworld.com/article/3461252/travelex-saves-with-network-outsourcing.html

      1. Doctor Syntax Silver badge

        Re: Outsourced and out of sight?

        From the link: “We would need to employ people on a 24x7 rostered basis to monitor our network at this level since we can’t afford to have the network offline.”

        So they understood the problem, but not the solution.

  14. Joe Harrison

    What's the future anyway

    Not looking at Travelex in particular but the business model of all high-street bureaux de change is to live in the margin generated by offering retail customers about 6% worse buy/sell exchange rate in comparison to the actual market rate. Now that consumers can pretty much get the real rate anyway (via Revolut et al) then what's the future for the bureaux?

    1. MJB7 Silver badge

      Re: What's the future anyway

      Yup. I just paid about 3.5‰ (that's permill, not percent) to change CHF to EUR with Transferwise.

      Admittedly that's on 10,000 CHF, and it was an electronic transfer. If you want to get €100 in paper notes for starting cash for your holiday, there is always going to be a (significant) cost to that.

    2. Anonymous Coward
      Anonymous Coward

      Re: What's the future anyway

      don't mistake your knowledge / interest (revolut, etc.) with that of the "general public". Or the power of "convenience". I'd think that travelexes of this world would have been long gone, and yet, every time I pass a UK airport, I see their counters, always a couple of travellers being ripped off, and never looking too distressed about that. So, clearly, there's a still a huge market of those who don't know, or don't care to get the best (or good enough) deal.

      1. Hugo Rune
        Holmes

        Re: What's the future anyway

        "always a couple of travellers being ripped off"

        That'll be me. Order online, pick up at the airport. I've always had better rates than the high street / M&S, that way. He who has the last laugh...

      2. ovation1357

        Re: What's the future anyway

        I find it astounding how many people still, quite willingly, pay huge amounts of commission and/or accept terrible rates from banks and bureaus.

        For any holiday travel in Europe you can get completely free cash and card transactions from Metro Bank (or the new Fintech companies although I have no experience of them yet) - if you're lucky enough to be near Metro branch you can turn up with a few ID documents and walk out an hour later with a working debit card plus online banking.

        Like with credit cards they'll use either Visa or MasterCard's standard exchange rate which always seems to be the best us mere mortals could ever get and usually matches the rates on the likes of xe.com

        For further afield there's Halifax's 'Clarity' credit card with zero fees worldwide. If you withdraw cash then they'll charge interest from the point of withdrawal (but crucially, no fees) - a savvy customer might use their online banking to instantly pay off what they just withdrew and then the interest is zero as well ;-)

        The above two options have served me well for about 8 years now. Last time I used any kind of bureau must have been over 10 years ago.

        Will I miss Travelex? No.

        I do hope that all the customers manage to get their money back.

    3. HildyJ Silver badge

      Re: What's the future anyway

      Most consumers want to get a little bit of cash at the airport and change it back when they get back. Whether they are getting a good rate is not a concern to them. Foreign currency is essentially an impulse purchase.

  15. anthonyhegedus Silver badge

    'maintenance'

    I was particularly dismayed to see that the website says that it's under maintenance. At least the UK website did. The US website says they've been hit by a virus. Nice to see they're being so open and transparent, a bit like their exchange rate prices. Set Schadenfreude to maximum!

  16. Anonymous Coward
    Anonymous Coward

    lack of investment

    This is not a new problem for Travelex. This is years of neglect. In a former job I was a hiring manager for a security department. We had one vacancy. Every single person from the local Travelex I.T. team applied for the role and every single one told the same story during interview of the lack if I.T. Security investment within the company. It's been a car crash waiting to happen for years.

    I imagine senior management will pull the same old "we're the victims" like TalkTalk and Vodafone have done previously. We can only hope they're hit with a massive GDPR fine as a warning to others.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020