Travelex Ransomware Attack (2019): What DORA Would Have Required

The Business Consequence

The Travelex ransomware attack had consequences that extended well beyond the immediate technical incident, according to publicly reported information:

Financial and corporate impact:

• According to Finablr (Travelex's parent company at the time) public filings and press reports, Travelex reported losses of approximately GBP 25 million in the first quarter of 2020 related to the cyber incident and subsequent business disruption.
• In August 2020, approximately eight months after the ransomware attack, Travelex entered administration (the UK equivalent of bankruptcy protection), according to PwC (the appointed administrator) and Companies House filings. While the COVID-19 pandemic's impact on travel was cited as a major factor, the ransomware attack and its lingering effects were also identified as contributing factors in public reporting.
• Approximately 1,300 UK jobs were lost when Travelex entered administration, according to PwC's public statements as administrator.
• The company's brand reputation suffered sustained damage, with customer trust significantly eroded according to press coverage and industry commentary.

Regulatory context:

• At the time of the attack, the UK's Financial Conduct Authority (FCA) regulated Travelex as an authorized payment institution. According to press reports, the FCA was engaged with Travelex regarding the incident.
• The Information Commissioner's Office (ICO) was notified regarding potential personal data exposure, as required under GDPR/UK Data Protection Act, according to Travelex's public statements.
• The incident predated DORA (which was proposed in September 2020 and adopted in December 2022), but it was referenced in subsequent EU regulatory discussions about the need for comprehensive ICT third-party risk management in financial services.

Third-party risk visibility gap:

The banks affected by the Travelex outage faced a situation that DORA directly addresses:

• They had outsourced a customer-facing service (online travel money ordering) to a third party
• When that third party was compromised, the banks' customers experienced service disruption
• The banks had limited visibility into Travelex's cybersecurity posture, incident response capabilities, and recovery timeline
• The banks had limited contractual leverage to compel faster recovery or obtain detailed incident information
• No formal exit strategy or alternative provider arrangement was in place for rapid substitution

The Attack and Its Cascading Impact

On December 31, 2019, Travelex — at the time one of the world's largest foreign exchange companies, providing currency services to banks, retailers, and consumers globally — was hit by a ransomware attack. According to press reports from the BBC, Reuters, and the Wall Street Journal, the attack was attributed to the REvil (Sodinokibi) ransomware group.

What was publicly reported about the attack:

• Travelex took all its systems offline on December 31, 2019, as a precautionary measure, according to the company's public statements at the time.
• The company's website, app, and internal systems were unavailable for approximately two to three weeks for customer-facing services, with full restoration reportedly taking longer.
• According to a Wall Street Journal report published in April 2020, Travelex paid approximately USD 2.3 million (GBP 1.8 million) in ransom to the attackers in Bitcoin. Travelex did not publicly confirm or deny this report.
• The REvil group reportedly claimed to have accessed Travelex's network and exfiltrated approximately 5 GB of data, including customer dates of birth, social security numbers, and payment card information, according to cybersecurity researchers and press reporting. Travelex stated it found no evidence of customer data being "structured" in a way that had been compromised.

Impact on banking customers:

Travelex was not itself a bank, but it provided foreign exchange services as a third-party provider to multiple major UK and international banks. According to BBC and Guardian reporting:

• Barclays, HSBC, Lloyds Banking Group, Royal Bank of Scotland (NatWest Group), Sainsbury's Bank, Tesco Bank, and Virgin Money were all publicly reported to have been affected, as they relied on Travelex to provide online travel money services to their customers.
• Bank customers were unable to order foreign currency online through their banks' websites during the outage period.
• Some banks temporarily directed customers to Travelex's physical bureaux or alternative providers, but many customers reported no immediate alternatives.

The Travelex incident is significant because it occurred before DORA was finalized, making it a natural case study for what the regulation was designed to prevent.

DORA's Retrospective Application: What Would Have Been Different

Analyzing the Travelex incident through DORA's requirements reveals how the regulation addresses each failure point that was exposed.

Pillar IV: Third-Party Risk Management (Art. 28-44)

Exit strategies (Art. 28(8)):

DORA requires financial entities to put in place exit strategies for ICT third-party services supporting critical or important functions. Had this requirement been in force, the banks relying on Travelex for currency services would have been required to maintain documented alternative provider arrangements or internal fallback capabilities. The weeks-long disruption with no viable alternative illustrates why exit strategies are mandatory, not optional.

Contractual requirements (Art. 28(2), Art. 30):

DORA specifies minimum contractual provisions for ICT third-party arrangements, including:

• Service level descriptions including measurable quality targets (Art. 30(2)(a))
• Incident notification obligations with specified timelines (Art. 30(2)(f))
• Cooperation and access rights for the financial entity and its supervisors (Art. 30(2)(h))
• Termination rights and transition periods (Art. 30(2)(i))

According to press reporting, affected banks had limited contractual mechanisms to obtain timely information about the incident's scope, Travelex's recovery progress, or the potential exposure of customer data.

Concentration risk (Art. 29(2)):

Multiple major UK banks relied on the same provider for online foreign exchange services. DORA's concentration risk assessment requirement would have highlighted this shared dependency and potentially driven diversification or contingency planning.

Pillar II: Incident Management (Art. 17-23)

Incident reporting chain:

Under DORA, each affected bank would be required to classify the service disruption as an ICT-related incident and assess whether it meets the "major incident" threshold based on customer impact, duration, and service criticality. The multi-week disruption affecting millions of banking customers would almost certainly qualify, triggering mandatory regulatory reporting by each affected bank — not just by Travelex.

Third-party incident information rights (Art. 28(2)):

DORA requires contractual provisions ensuring that financial entities receive timely and adequate information from their ICT service providers about incidents affecting the services provided. The reported communication gaps during the Travelex outage illustrate why these provisions are necessary.

Pillar I: Business Continuity (Art. 11)

Testing third-party failure scenarios (Art. 11(3)):

DORA requires business continuity plans to address "the failure of an ICT third-party service provider." Banks relying on Travelex would need to have tested the scenario of their foreign exchange provider being unavailable for an extended period, including customer communication, alternative service provision, and impact management.

Publicly Documented Outcomes

Based on publicly available information from press reports, regulatory filings, and corporate disclosures:

Travelex corporate trajectory:

• Travelex entered administration in August 2020. According to PwC (the administrator), the combination of the ransomware attack's financial impact and the COVID-19 pandemic's destruction of travel demand made the business unviable in its existing form.
• The Travelex brand and certain operations were subsequently acquired, but the company's scale and market position were permanently diminished.
• The estimated GBP 25 million in direct incident-related losses (per public filings), combined with the reported USD 2.3 million ransom payment (per Wall Street Journal), represented a significant financial burden on an already pressured business.

Impact on affected banks:

• According to press reports, affected UK banks faced customer complaints, negative media coverage, and reputational damage associated with their inability to provide foreign exchange services during the outage.
• Several banks subsequently diversified their foreign exchange service providers or developed internal capabilities, according to industry reporting.
• The incident reportedly accelerated UK banking sector focus on third-party risk management, with the FCA and PRA subsequently publishing enhanced expectations around operational resilience and third-party risk.

Regulatory legacy:

• The UK's Financial Services and Markets Act 2023, which includes provisions for critical third-party oversight (similar to DORA Art. 31-44), was informed partly by incidents like Travelex.
• The European Commission's DORA proposal (September 2020) was published approximately nine months after the Travelex incident. While DORA's development had been underway before the attack, the Travelex case provided a concrete, publicly documented example of the risks the regulation was designed to address.
• Cybersecurity researchers and regulatory commentators have extensively cited the Travelex case as illustrating the cascading impact of ransomware attacks on third-party providers in financial services.

The Travelex incident remains a landmark case in financial services cybersecurity — not because it was the largest attack in scale, but because it demonstrated how a single third-party provider's compromise could cascade through a network of financial institutions, affect millions of customers, and ultimately destroy the provider's business. Every failure point it exposed is addressed by a specific DORA provision.