Post Office ditches MoneyGram after cyber attack

MoneyGram services will no longer be available in thousands of Post Office branches from today, as its contract renewal is cancelled in the wake of a major cyber securuty incident.

A new contract between the companies was set to begin this week, but following the major cyber security incident at MoneyGram earlier this month, it has been canned as the Post Office seeks more assurances from the US money transfer firm over the service.

The US-based financial services firm turned down an offer of a short contract extension from the Post Office. In a message to its branches on Monday September 30, the Post Office said the contract with MoneyGram would expire at midnight.

Fintech MoneyGram enables users to transfer money, pay bills and trade in cryptocurrencies. It was forced to suspend services in the wake of an ongoing cyber security incident.

The issue began on Friday 20 September, when customers began to report problems, but it was at first identified as a simple network outage affecting connectivity.

The Post Office said MoneyGram services are still unavailable across the thousands of Post Office branches around the UK, while the organisation ensures it understands “the protective measures that MoneyGram have implemented following the incident”.

A new contract was close to being agreed before the cyber incident. The Post Office told subpostmasters: “Post Office and MoneyGram have been in contract negotiations since June of this year and had expected to agree a new contract to roll on from 1 October 2024. The contracting process was in the final stages when, unfortunately, MoneyGram suffered the cyber attack.”

The Post Office said it offered to extend the current contract for a shorter period to enable both organisations “to prioritise the service renewal activity”. The Post Office said this would have also enabled it to understand any longer-term impact of MoneyGram’s cyber incident for its customers, subpostmasters, and partners.

But MoneyGram did not accept the offer and the contract ended. The Post Office apologised for the one0day notice to subpostmasters.

The organisation left the door open for a future contract, stating: “We are still committed to finding a way to try to continue our partnership and dialogue continues with MoneyGram. If there is any change, we will be immediately in touch.”

Post Office branched offered three separate services from MoneyGram – MG Send, MG Receive, and MG Cancellations. 

The Post Office said all transactions processed through a Post Office branch before MoneyGram went offline on 20 September have been sent to MoneyGram.

Akhil Mittal, senior security consulting manager at the Synopsys Software Integrity Group, said that money transfer services made tempting targets for cyber criminals since they handle large amounts of digital case and hold extremely sensitive data. That MoneyGram appears to have been attacked is therefore not surprising.

“The challenge is balancing security with keeping services running,” said Mittal. “By taking everything offline, MoneyGram clearly put security first, but it also highlights a common struggle in the financial sector – how do you protect sensitive data without shutting down the business? Are companies ready to handle that challenge?”