Foreign currency exchange specialist Travelex has taken all of its websites offline, including its NZ site, as it grapples with a US$6 million ($8.5m) ransom demand from hackers who have stolen a huge chunk of its customer data.
The London-based Travelex is the issuer of Air New Zealand's OneSmart card, which can be loaded with funds in up to eight different foreign currencies before a trip, at locked-in exchange rates.
However, a spokeswoman for the airline said it was not affected by the cyber-heist, and nor were its customers.
"OneSmart does not use the Travelex foreign exchange services affected by the attack so Onesmart cardholders are not impacted," she said.
"We have received confirmation from our OneSmart programme manager Mastercard that this attack will not compromise OneSmart in any way and Onesmart customers do not need to take any action."
BBC cyber-security reporter Joe Tidy said Travelex has had to resort to pen and paper while it weighs the US$6m demand from a "ransomware" gang called Sodinokibi - who earlier infiltrated the company's systems with malware and seized around five gigabytes of customer data, including dates of birth and credit card information.
The London Metropolitan Police said in a statement that it was investigating the cyber-heist after being alerted by Travelex on January 2 (under the EU's Under General Data Protection Regulation or GDPR, which came into force last year, a company that fails to comply can face a maximum fine of 4 per cent of its global turnover. A revamp of NZ's Privacy Act, which is expected to come into force this year, includes a mandatory data breach disclosure provision but not fines for non-compliance).
The hackers said, according to the BBC: "In the case of payment, we will delete and will not use that [data]base and restore them the entire network.
"The deadline for doubling the payment is two days. Then another seven days and the sale of the entire base."
Travelex told the BBC it was working with police and has deployed teams of IT specialists and external cyber-security experts who have been working continuously.
NZ Police advise individuals and organisations not to pay up if hit by ransomware. They say there is no guarantee that data will be returned, and that funds often go to organised criminals who are also involved in hardcore offending in other areas such as drugs and human trafficking.
But when the Wannacry ransomware attack hit multiple countries in 2017, NZ lawyer Michael Wigley said those hit should consider paying up.
Data was returned in some instances, and paying up could be the pragmatic thing to do if a relatively small demand was involved, Wigley said.
He also maintained that giving in could even be the principled path.
"Sometimes paying out could even answer a legal duty. Say A has a duty to protect B's information, such as under a contract or some other duty and a ransom leads to a breach of that duty," he told this reporter.
"The ransomed company A has a duty to mitigate loss and one way to do that could be to pay out on the ransom."
Crown agency CERT NZ, setup as a first-point-of-contact for individuals or organisations hit by hackers, received 22 ransomware reports in the third quarter of last year (its most recent reporting period), but from 18 in the year-ago quarter.
Overall, New Zealanders lost $3.8m to cyber-attacks in the September quarter, CERT NZ said, versus $3m in the year-ago quarter.
CERT (Computer Emergency Response Team) head Rob Pope has previously cautioned about reading too much into CERT NZ figures at this point, however, given the agency is still only a couple of years old, with many not aware of the option to report attacks and seek help. Others prefer to keep the embarrassment of losing data to themselves.