In Stevenage, Natalie Whiting walked into a Tesco on January 3 expecting to collect roughly 1,000 pounds worth of euros she had ordered online. She left empty-handed. The money had been taken from her account. The store told her the system was down. The reason: a ransomware attack on Travelex, the London-based foreign exchange giant, had knocked its global online systems offline four days earlier.
Whiting is one of thousands of customers caught in the fallout. The attack, launched on December 31, 2019, by the cybercriminal group REvil — also known as Sodinokibi — forced Travelex to shut down its entire digital infrastructure. The company initially told the public it was performing technical upgrades. It later admitted the truth: a malicious gang had compromised its computer systems and was demanding a ransom.
The ransom demand sits between three and six million dollars. REvil threatened to sell Travelex’s stolen client database and computer systems on the dark web if the money was not paid.
But the story is not just about Travelex. It is about the companies that depend on it. The ripple effect hit major retailers and financial institutions across the United Kingdom and beyond. Asda, HSBC, Sainsbury’s, Tesco, and Virgin Money all felt the disruption. Their customers suddenly could not access foreign currency orders or complete standard banking transactions tied to Travelex’s exchange service.
That is the single most important fact here: a single ransomware attack on one company froze currency transactions for millions of people through multiple major brands. The breach did not just lock Travelex out of its own systems. It locked its partners out too. And it locked their customers out of their own money.
Whiting’s experience makes the abstraction concrete. She did not deal with Travelex directly. She went through Tesco. She placed an order online. She paid. She showed up to collect. The system was dead. The money was gone from her account. The euros were not in her hands. No one could tell her when the problem would be fixed.
The attack itself is a textbook ransomware play. REvil gained access to Travelex’s network, encrypted the data, and demanded payment for the decryption key. But the group added an extra layer of pressure: it threatened to dump the stolen client database and internal systems onto the dark web for sale. That threat turns a simple extortion attempt into a data breach with long-term consequences for customer privacy and corporate liability.
Travelex’s initial response — blaming the outage on planned technical upgrades — suggests the company hoped to contain the reputational damage while it negotiated or fought the attack in private. That strategy collapsed when the truth emerged. The company eventually confirmed the ransomware infection and the involvement of REvil.
For the affected retailers and banks, the outage was immediate and total. Their currency transaction systems rely on Travelex’s backend infrastructure. When that infrastructure went dark, so did their ability to process foreign exchange orders. Customers who had already paid for currency they had not yet received found themselves in limbo. Customers who needed to buy currency for upcoming travel found themselves locked out.
The timing made it worse. December 31 is a peak period for foreign currency orders as people prepare for holiday travel and New Year trips. The attack hit at the worst possible moment for both the company and its customers.
Travelex has not publicly stated whether it paid the ransom. It has not said whether the stolen data was actually sold. It has not given a timeline for when its systems will be fully restored. What is clear is that one ransomware attack, launched by one criminal group, shut down a global currency exchange operation and left ordinary people like Natalie Whiting standing at a Tesco counter with money missing from their accounts and no euros in their pockets.
